NetBSD Problem Report #44951
From Wolfgang.Stukenbrock@nagler-company.com Tue May 10 17:08:09 2011
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 3D80D63BBC7
for <gnats-bugs@gnats.NetBSD.org>; Tue, 10 May 2011 17:08:09 +0000 (UTC)
Message-Id: <20110510170505.588D142F698@s0g7.nagler-company.com>
Date: Tue, 10 May 2011 19:05:05 +0200 (CEST)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: setkey accesses uninitialised memory
X-Send-Pr-Version: 3.95
>Number: 44951
>Category: bin
>Synopsis: setkey accesses uninitialised memory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue May 10 17:10:00 +0000 2011
>Closed-Date: Fri May 27 18:00:54 +0000 2011
>Last-Modified: Fri May 27 18:05:02 +0000 2011
>Originator: Dr. Wolfgang Stukenbrock
>Release: NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD s0g7 5.1 NetBSD 5.1 (NSW-locationGW_2) #2: Mon Mar 7 10:35:06 CET 2011 wgstuken@s012:/export/NetBSD-5.1/N+C-build/.OBJDIR_amd64/export/NetBSD-5.1/src/sys/arch/amd64/compile/NSW-locationGW_2 amd64
Architecture: x86_64
Machine: amd64
>Description:
If setkey is run in verbose mode, there are some "old" code fragments,
that access uninitialized memory.
The problem is located in the postproc() routine, that assumes that the next
message for dump and spddump commands is in the memory just behind the current
message. This is true when read from a file, but not true when getting messages
from the socket.
>How-To-Repeat:
Setup some SA and/or SPD entriy and run "setkey -vD" or "setkey -vaD".
>Fix:
The following patch to /usr/src/crypto/dist/ipsec-tools/src/setkey/setkey.c
will fix the problem:
--- setkey.c 2011/05/10 17:00:44 1.1
+++ setkey.c 2011/05/10 17:02:32
@@ -593,12 +593,6 @@
else
pfkey_sadump(msg);
}
- msg = (struct sadb_msg *)((caddr_t)msg +
- PFKEY_UNUNIT64(msg->sadb_msg_len));
- if (f_verbose) {
- kdebug_sadb((struct sadb_msg *)msg);
- printf("\n");
- }
break;
case SADB_X_SPDGET:
@@ -613,13 +607,6 @@
pfkey_spdump_withports(msg);
else
pfkey_spdump(msg);
- if (msg->sadb_msg_seq == 0) break;
- msg = (struct sadb_msg *)((caddr_t)msg +
- PFKEY_UNUNIT64(msg->sadb_msg_len));
- if (f_verbose) {
- kdebug_sadb((struct sadb_msg *)msg);
- printf("\n");
- }
break;
#ifdef HAVE_PFKEY_POLICY_PRIORITY
case SADB_X_SPDADD:
@@ -707,6 +694,10 @@
while (p < ep) {
msg = (struct sadb_msg *)p;
len = PFKEY_UNUNIT64(msg->sadb_msg_len);
+ if (f_verbose) {
+ kdebug_sadb((struct sadb_msg *)msg);
+ printf("\n");
+ }
postproc(msg, len);
p += len;
}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Fri, 27 May 2011 18:00:54 +0000
State-Changed-Why:
patch applied, thanks
From: "Matthias Drochner" <drochner@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44951 CVS commit: src/crypto/dist/ipsec-tools/src/setkey
Date: Fri, 27 May 2011 18:00:21 +0000
Module Name: src
Committed By: drochner
Date: Fri May 27 18:00:21 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.c
Log Message:
replace questionable pointer games which could cause reads of
uninitialized memory, from Wolfgang Stukenbrock per PR bin/44951
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/setkey/setkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.