Bug 449933

Summary: buffer overflow when using command `ip xfrm`
Product: Red Hat Enterprise Linux 5 Reporter: Yang Ren <ryang>
Component: iprouteAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED ERRATA QA Contact: Brock Organ <borgan>
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: desktop-bugs, herbert.xu, iboverma, jakub, jhrozek, latten, lwang, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 22:00:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 253764    
Attachments:
Description Flags
Fix for segfault with wrong key none

Description Yang Ren 2008-06-04 11:09:21 UTC 
Description of problem:
When I want to use `ip xfrm` to config a manual keying connection
 with two host.
It always return "*** buffer overflow detected ***: ip terminated"

I find xfrm in kernel source code so I submit it as a kernel bug.
I also provide the version for iproute

Version-Release number of selected component (if applicable):
kernel version 2.6.18-92.el5
iproute-2.6.18-7.el5

How reproducible:
always

Steps to Reproduce:
1.config your network set up two host with follow ipv6 address
3ffe:501:ffff:104::10 3ffe:501:ffff:104::11
2.# ip xfrm state add src 3ffe:501:ffff:104::10 dst 3ffe:501:ffff:104::11 proto
esp spi 0x100 auth 3des "a" mode transport
  
Actual results:
*** buffer overflow detected ***: ip terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xa44e41]
/lib/libc.so.6[0xa4444c]
ip[0x805feac]
ip[0x8060f90]
ip[0x804940c]
ip[0x8049a3e]
/lib/libc.so.6(__libc_start_main+0xdc)[0x975dec]
ip[0x8049301]
======= Memory map: ========
00416000-00425000 r-xp 00000000 08:05 11175434   /lib/libresolv-2.5.so
00425000-00426000 r-xp 0000e000 08:05 11175434   /lib/libresolv-2.5.so
00426000-00427000 rwxp 0000f000 08:05 11175434   /lib/libresolv-2.5.so
00427000-00429000 rwxp 00427000 00:00 0 
00563000-00564000 r-xp 00563000 00:00 0          [vdso]
00942000-0095c000 r-xp 00000000 08:05 11175418   /lib/ld-2.5.so
0095c000-0095d000 r-xp 00019000 08:05 11175418   /lib/ld-2.5.so
0095d000-0095e000 rwxp 0001a000 08:05 11175418   /lib/ld-2.5.so
00960000-00a9d000 r-xp 00000000 08:05 11175419   /lib/libc-2.5.so
00a9d000-00a9f000 r-xp 0013d000 08:05 11175419   /lib/libc-2.5.so
00a9f000-00aa0000 rwxp 0013f000 08:05 11175419   /lib/libc-2.5.so
00aa0000-00aa3000 rwxp 00aa0000 00:00 0 
00c26000-00c31000 r-xp 00000000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
00c31000-00c32000 rwxp 0000a000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
08048000-08070000 r-xp 00000000 08:05 10158199   /sbin/ip
08070000-08074000 rw-p 00027000 08:05 10158199   /sbin/ip
08086000-080a7000 rw-p 08086000 00:00 0 
b7fdb000-b7fdd000 rw-p b7fdb000 00:00 0 
bfd06000-bfd1c000 rw-p bfd06000 00:00 0          [stack]
Aborted

Expected results:
state establish success

Additional info:
I did not find a man page for 'ip xfrm'.
I write the command according to the usage
I also have add a policy between two host using
[root@server ~]# ip xfrm policy add dir in src 3ffe:501:ffff:104::10 dst
3ffe:501:ffff:104::11
[root@server ~]# ip xfrm policy list
src 3ffe:501:ffff:104::10/128 dst 3ffe:501:ffff:104::11/128 
	dir in priority 0 

And I change the value of ALGOKEY for many time all show buffer overflow
Comment 2 RHEL Program Management 2008-06-04 13:53:45 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Marcela Mašláňová 2008-06-04 14:46:29 UTC 
*** Bug 444724 has been marked as a duplicate of this bug. ***
Comment 4 Herbert Xu 2008-06-05 05:00:16 UTC 
What are you trying to set up here? An integrity-only ESP SA? The keyword "auth"
takes an integrity algorithm, but 3des is a confidentiality algorithm.  So
perhaps you want to s/auth/enc/?
Comment 5 Marcela Mašláňová 2008-06-05 06:50:59 UTC 
The problem is that iproute does not check its parameters for correctness enough. 
If the parameters are incorrect, iproute should not crash, but write some
readable error message. I tried different combination of parametres and it's
crashing after applying patch for xfrm support in this case :(
Comment 6 Herbert Xu 2008-06-05 07:04:42 UTC 
ip is not a privileged command so it crashing on bogus parameters is hardly an
important issue.
Comment 7 Marcela Mašláňová 2008-06-05 07:14:24 UTC 
I thought so, I'll give back low priority.
Comment 18 Marcela Mašláňová 2008-08-11 07:08:44 UTC 
*** Bug 458480 has been marked as a duplicate of this bug. ***
Comment 22 errata-xmlrpc 2009-01-20 22:00:14 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0204.html