diff --git a/libreswan-4.15-whack-fd-refcount.patch b/libreswan-4.15-whack-fd-refcount.patch new file mode 100644 index 0000000..79d0b28 --- /dev/null +++ b/libreswan-4.15-whack-fd-refcount.patch @@ -0,0 +1,32 @@ +From b09f6edd9148cb08d70f8bad604efa064c9188e0 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 21 Oct 2024 09:25:06 +0900 +Subject: [PATCH] pluto: fix refcounting of whack FD at CREATE_CHILD_SA request + +After commit 6341e0d0257f26a7883bc5d1abff50ac362c625b, whack FD copied +to a larval Child SA in submit_v2_CREATE_CHILD_SA_new_child is not +properly closed at the completion of the CREATE_CHILD_SA exchange, as +new_v2_child_state increases the reference count of the whack FD +before sharing it with the IKE SA. + +Signed-off-by: Daiki Ueno +--- + programs/pluto/ikev2_create_child_sa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/programs/pluto/ikev2_create_child_sa.c b/programs/pluto/ikev2_create_child_sa.c +index 034266e7a6..951485d063 100644 +--- a/programs/pluto/ikev2_create_child_sa.c ++++ b/programs/pluto/ikev2_create_child_sa.c +@@ -710,7 +710,7 @@ void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike, + struct child_sa *larval_child = new_v2_child_state(c, ike, IPSEC_SA, + SA_INITIATOR, + STATE_V2_NEW_CHILD_I0, +- whackfd); ++ null_fd); + + free_chunk_content(&larval_child->sa.st_ni); /* this is from the parent. */ + free_chunk_content(&larval_child->sa.st_nr); /* this is from the parent. */ +-- +2.47.0 + diff --git a/libreswan.spec b/libreswan.spec index beeba88..6e96318 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -31,7 +31,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script Version: 4.15 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}4%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -43,6 +43,7 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch Patch: libreswan-4.15-ondemand-tcp.patch Patch: libreswan-4.15-netlink-extack.patch +Patch: libreswan-4.15-whack-fd-refcount.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -198,6 +199,9 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog +* Tue Nov 12 2024 Daiki Ueno - 4.15-4 +- pluto: fix refcounting of whack FD at CREATE_CHILD_SA request (RHEL-61461) + * Tue Aug 6 2024 Daiki Ueno - 4.15-3 - Fix release number