Bug 747852

Summary:	Missing else keyword (openswan)
Product:	Red Hat Enterprise Linux 5	Reporter:	Pavel Raiskup <praiskup>
Component:	openswan	Assignee:	Paul Wouters <pwouters>
Status:	CLOSED WONTFIX	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	5.8	CC:	amarecek, eparis, jrieden, kdudka, pkis, pwouters, sgrubb
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	747966 (view as bug list)		Environment:
Last Closed:	2014-04-22 21:08:02 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	747966, 1049888

Description Pavel Raiskup 2011-10-21 06:52:36 UTC

=> openswan-2.6.32/programs/pluto/ike_alg.c:87

when ike_alg_get_encrypter returns NULL (line 82) there is NULL dereference
on 87 when asking for enc_desc->keyminlen.

There is probably else keyword missing on line 87 (else-if statement).

a) if ike_alg_get_encrypter fails on line 82
b) enc_desc is dereferenced on line 87.

This problem was newly found in RHEL 5.8 by Coverity difference scan on RHEL packages 5.7 → 5.8.

version: openswan-2.6.32

Comment 1 Avesh Agarwal 2011-10-21 13:54:23 UTC

I looked at the code, and that seems like a false alarm. As the code checks for enc_desc is null or not before dereferencing it and return false.  So this seems like a not a bug.

Comment 2 Steve Grubb 2011-10-21 14:18:51 UTC

Avesh, there is a bug there

        enc_desc = ike_alg_get_encrypter(ealg);

suppose this is NULL
        if (!enc_desc) {

It goes in here
                /* failure: encrypt algo must be present */
                snprintf(ugh_buf, ugh_buf_len, "encrypt algo not found");
                ret = FALSE;
it does not return, so it hits the next line
        } if ((key_len) && ((key_len < enc_desc->keyminlen)

segfaults here because it probably should be else if so that it skips over this block

Comment 3 Avesh Agarwal 2011-10-21 14:24:29 UTC

Steve you are right, I mislooked it thinking ret=false is a return statement. i think that needs to be corrected.

Comment 6 Avesh Agarwal 2011-10-21 17:07:42 UTC

This is cloned to bz 747966 for 6.2.

Comment 7 Paul Wouters 2011-10-23 04:34:04 UTC

Fix commited, will be in openswan 2.6.37

Comment 8 Paul Wouters 2011-10-24 01:21:50 UTC

note that ike_alg_get_encrypter() never returns NULL though...

Comment 11 RHEL Program Management 2012-04-19 11:51:27 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 13 Avesh Agarwal 2013-01-10 16:04:30 UTC

This is already fixed as part of released openswan version in 5.9, so closing this.

Comment 14 Paul Wouters 2013-05-19 18:15:40 UTC

Re-opening for rhel-5.10.0 as it has not yet been fixed in 5.9 despite comment #13 claiming so.

Comment 16 RHEL Program Management 2014-01-22 16:34:32 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.