Bug 689178

Created attachment 486434 [details]
xl2tpd-buffer-overrun.patch

Description of problem:
Use a 16-character secret in l2tp-secrets, or shorter.  bufferDump() function fails (gcc stack overflow test catches it and aborts the program) by overwriting the end of the 'line' buffer if a multiple-of-16-length string (such as the expansion of an md5sum field, or the 16 characters of the secret.

Version-Release number of selected component (if applicable):
1.2.7-1.f14

How reproducible:
easily

Steps to Reproduce:
1. see above
2.
3.
  
Actual results:
xl2tpd[30300]: handle_challenge: making response for tunnel: 960
xl2tpd[30300]: get_secret: we are '*', they are '*', secret is '"abcdefghijklmnop"'
xl2tpd[30300]: *handle_challenge: Here comes the chal->ss:
xl2tpd[30300]: bufferDump:             buffer[0]: *02*
xl2tpd[30300]: handle_challenge: Here comes the secret
xl2tpd[30300]: bufferDump: buflen=18, buffer[0]: *226162636465666768696a6b6c6d6e6f*
xl2tpd[30300]: bufferDump:             buffer[1]: *7022*
*** stack smashing detected ***: /usr/sbin/xl2tpd terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x2c55dd]
/lib/libc.so.6[0x2c558a]
/usr/sbin/xl2tpd[0x804c14d]
/usr/sbin/xl2tpd[0x805a4a8]
/usr/sbin/xl2tpd[0x804e44f]
/usr/sbin/xl2tpd[0x805642a]
/usr/sbin/xl2tpd[0x804baea]
/lib/libc.so.6(__libc_start_main+0xe6)[0x1eae36]
/usr/sbin/xl2tpd[0x8049311]
======= Memory map: ========
00110000-00111000 r-xp 00000000 00:00 0          [vdso]
001b3000-001d0000 r-xp 00000000 08:06 3080245    /lib/ld-2.13.so
001d0000-001d1000 r--p 0001c000 08:06 3080245    /lib/ld-2.13.so
001d1000-001d2000 rw-p 0001d000 08:06 3080245    /lib/ld-2.13.so
001d4000-00357000 r-xp 00000000 08:06 3080568    /lib/libc-2.13.so
00357000-00358000 ---p 00183000 08:06 3080568    /lib/libc-2.13.so
00358000-0035a000 r--p 00183000 08:06 3080568    /lib/libc-2.13.so
0035a000-0035b000 rw-p 00185000 08:06 3080568    /lib/libc-2.13.so
0035b000-0035e000 rw-p 00000000 00:00 0 
003c7000-003e3000 r-xp 00000000 08:06 3080764    /lib/libgcc_s-4.5.1-20100924.so.1
003e3000-003e4000 rw-p 0001b000 08:06 3080764    /lib/libgcc_s-4.5.1-20100924.so.1
08048000-08064000 r-xp 00000000 08:06 216980     /usr/sbin/xl2tpd
08064000-08065000 rw-p 0001b000 08:06 216980     /usr/sbin/xl2tpd
08065000-08089000 rw-p 00000000 00:00 0          [heap]
b7fe4000-b7fe5000 rw-p 00000000 00:00 0 
b7fff000-b8000000 rw-p 00000000 00:00 0 
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0x00110416 in __kernel_vsyscall ()
(gdb) bt
#0  0x00110416 in __kernel_vsyscall ()
#1  0x001ff2f1 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00200d5e in abort () at abort.c:92
#3  0x0023b51d in __libc_message (do_abort=2, fmt=0x31f4cb "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#4  0x002c55dd in __fortify_fail (msg=0x31f4b3 "stack smashing detected") at fortify_fail.c:32
#5  0x002c558a in __stack_chk_fail () at stack_chk_fail.c:29
#6  0x0804c14d in bufferDump (buf=0x8069bb9 "\"abcdefghijklmnop\"", buflen=18) at misc.c:144
#7  0x0805a4a8 in handle_challenge (t=0x8069a00, chal=0x8069b60) at aaa.c:267
#8  0x0804e44f in control_finish (t=0x8069a00, c=0x8069e10) at control.c:462
#9  0x0805642a in network_thread () at network.c:555
#10 0x0804baea in main (argc=2, argv=0xbffff6c4) at xl2tpd.c:1313


Expected results:
no failure

Additional info:
see attached patch which fixes it.