[Ipsec-tools-devel] possible gotcha in delph1

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

That's a function used to delete a ph1andle structure in handler.c. It
contains the following code (in 0.8.0 and since at least 2010 as it's in
the oldest import into my repository):

-------------
void
delph1(iph1)
        struct ph1handle *iph1;
{
        if (iph1 == NULL)
                return;

[...]

        if (iph1->approval) {
                delisakmpsa(iph1->approval);
                iph1->approval = NULL;
        }

        VPTRINIT(iph1->authstr);
        VPTRINIT(iph1->sendbuf);
        VPTRINIT(iph1->dhpriv);
        VPTRINIT(iph1->dhpub);
        VPTRINIT(iph1->dhpub_p);
        VPTRINIT(iph1->dhgxy);
        VPTRINIT(iph1->nonce);
        VPTRINIT(iph1->nonce_p);
        VPTRINIT(iph1->skeyid);
        VPTRINIT(iph1->skeyid_d);
        VPTRINIT(iph1->skeyid_a);

        [...]

        if(iph1->approval != NULL)
                delisakmpsa(iph1->approval);
---------------

IOW, this deletes iph1->approval if its not a null pointer and then sets
it to NULL. After a block of VPTRINITS, iph1->approval is again checked
for not being a NULL pointer and in case it isn't, it will be freed
again.

This caused some very strange effects in the racoon I'm working with
because I replaced the initial

        if (iph1->approval) {
                delisakmpsa(iph1->approval);
                iph1->approval = NULL;
        }

with

	if (iph1->approval) delisakmpsa(iph1->approval);

on the grounds that clearing pointers which won't be used anymore is
pointless. Hence, the lurking double-free came to live ...