Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236121 - LSPP: racoon has a buffer overflow when receiving large security context from kernel
Summary: LSPP: racoon has a buffer overflow when receiving large security context from...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools
Version: 5.0
Hardware: powerpc
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Steve Conklin
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
 
Reported: 2007-04-12 00:32 UTC by Joy Latten
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: RHSA-2007-0342
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-27 14:14:38 UTC
Target Upstream Version:


Attachments (Terms of Use)
patch increasing buffer size (deleted)
2007-04-12 15:04 UTC, Steve Grubb
no flags Details | Diff
Check that security context string doesn't overflow the buffer. (deleted)
2007-04-12 15:37 UTC, Joy Latten
no flags Details | Diff

Description Joy Latten 2007-04-12 00:32:10 UTC
Description of problem:
When racoon receives a security context in the ACQUIRE message, the
length of the security context is not checked. Instead it stuffed into 
a buffer[50]. When a very large context is sent a buffer overflow occurs.

Version-Release number of selected component (if applicable):

ipsec-tools-0.6.5-6.3.el5

How reproducible:
Happens whenever you send a large security context.

Steps to Reproduce:
1.configure labeled ipsec
2. runcon  
"root:sysadm_r:sysadm_t:s2:c0,c2,c4,c6,c8,c10,c12,c14,c16,c18,c20,c22,c2 
4,c26,c28,c30,c32,c34,c36,c38,c40,c42,c44,c46,c48,c50,c52,c54,c56,c58,c6 
0,c62,c64,c66,c68,c70,c72,c74,c76,c78,c80,c82,c84,c86,c88,c90,c92,c94,c9 
6,c98,c100,c102,c104,c106,c108,c110,c112,c114,c116,c118,c120,c122,c124,c 
126,c128,c130,c132,c134,c136,c138,c140,c142,c144,c146,c148,c150,c152,c15 
4,c156,c158,c160,c162,c164,c166,c168,c170,c172,c174,c176,c178,c180,c182, 
c184,c186,c188,c190,c192,c194,c196,c198,c200,c202,c204,c206,c208,c210,c2 
12,c214,c216,c218,c220,c222,c224,c226,c228,c230,c232,c234,c236,c238,c240 
,c242,c244,c246,c248,c250,c252,c254,c256,c258,c260,c262,c264,c266,c268,c 
270,c272,c274,c276,c278,c280,c282,c284,c286,c288,c290,c292,c294,c296,c29 
8,c300,c302,c304,c306,c308,c310,c312,c314,c316,c318,c320,c322,c324,c326, 
c328,c330,c332,c334,c336,c338,c340,c342,c344,c346,c348,c350,c352,c354,c3 
56,c358,c360,c362,c364,c366,c368,c370,c372,c374,c376,c378,c380,c382,c384 
,c386,c388,c390,c392,c394,c396,c398,c400,c402,c404,c406,c408,c410,c412,c 
414,c416,c418,c420,c422,c424,c426,c428,c430,c432,c434,c436,c438,c440,c44 
2,c444,c446,c448,c450,c452,c454,c456,c458,c460,c462,c464,c466,c468,c470, 
c472,c474,c476,c478,c480,c482,c484,c486,c488,c490,c492,c494,c496,c498,c5 
00,c502,c504,c506,c508,c510,c512,c514,c516,c518,c520,c522,c524,c526,c528 
,c530,c532,c534,c536,c538,c540,c542,c544,c546,c548,c550,c552,c554,c556,c 
558,c560,c562,c564,c566,c568,c570,c572,c574,c576,c578,c580,c582,c584,c58 
6,c588,c590,c592,c594,c596,c598,c600,c602,c604,c606,c608,c610,c612,c614, 
c616,c618,c620,c622,c624,c626,c628,c630,c632,c634,c636,c638,c640,c642,c6 
44,c646,c648,c650,c652,c654,c656,c658,c660,c662,c664,c666,c668,c670,c672 
,c674,c676,c678,c680,c682,c684,c686,c688,c690,c692,c694,c696,c698,c700,c 
702,c704,c706,c708,c710,c712,c714,c716,c718,c720,c722,c724,c726,c728,c73 
0,c732,c734,c736,c738,c740,c742,c744,c746,c748,c750,c752,c754,c756,c758, 
c760,c762,c764,c766,c768,c770,c772,c774,c776,c778,c780,c782,c784,c786,c7 
88,c790,c792,c794,c796,c798,c800,c802,c804,c806,c808,c810,c812,c814,c816 
,c818,c820,c822,c824,c826,c828,c830,c832,c834,c836,c838,c840,c842,c844,c 
846,c848,c850,c852,c854,c856,c858,c860,c862,c864,c866,c868,c870,c872,c87 
4,c876,c878,c880,c882,c884,c886,c888,c890,c892,c894,c896,c898,c900,c902, 
c904,c906,c908,c910,c912,c914,c916,c918,c920,c922,c924,c926,c928,c930,c9 
32,c934,c936,c938,c940,c942,c944,c946,c948,c950,c952,c954,c956,c958,c960 
,c962,c964,c966,c968,c970,c972,c974,c976,c978,c980,c982,c984,c986,c988,c 
990,c992,c994,c996,c998,c1000,c1002,c1004,c1006,c1008,c1010,c1012,c1014, 
c1016,c1018,c1020,c1022" -- ping <remote host>

  
Actual results:
racoon dies.

Expected results:
should throw an error and end negotiation

Additional info:
Will fix tonight.

Comment 1 Steve Grubb 2007-04-12 14:08:55 UTC
Joy, do you want me to write the patch for this or are you working on it? I
think its a matter of changing ctx_str to be a pointer to memory rather than an
array and adding the allocation/free calls.

Comment 2 Joy Latten 2007-04-12 14:28:04 UTC
Steve, that would be great, thanks!


Comment 3 Steve Grubb 2007-04-12 15:04:31 UTC
Created attachment 152458 [details]
patch increasing buffer size

This is a quick and dirty patch that will let people continue testing. A better
patch would allocate security_ctx as a variable sized struct.

Comment 5 Joy Latten 2007-04-12 15:37:10 UTC
Created attachment 152467 [details]
Check that security context string doesn't overflow the buffer.

Steve bumping up MAX for security context string length sounds ok to me. 
I also included this patch to make sure we check for buffer overflow.

Comment 6 Steve Grubb 2007-04-12 16:13:19 UTC
ipsec-tools-0.6.5-6.4 was built with both of the above patches. Retest is needed.

Comment 7 Joy Latten 2007-04-12 21:12:31 UTC
I am using the new ipsec-tools and racoon and all appears to be working well.
Consider this retested. 


Note You need to log in before you can comment on or make changes to this bug.