Red Hat Bugzilla – Bug 207159
LSPP: When using IPSec without labels, kernel sends an acquire with a security context containing garbage
Last modified: 2007-11-30 17:11:43 EST
LTC Owner is: email@example.com
LTC Originator is: firstname.lastname@example.org
Could not get racoon to work properly.
When using IPSec without labels, the kernel sends and ACQUIRE message that
contains a security context. This security context contains garbage. When labels
are not being used, then the kernel should send an ACQUIRE without a security
Upon looking at code, when we allocate a policy, we never initialize the
security structure in the policy. Thus it is possible for it to contain garbage.
Probably should initialize to zero or null.
I am using a rawhide kernel, vmlinuz-2.6.17-1.2617.2.1.fc6.
Machine type - lpar
Cpu type - Power5
Will add patch to this bug report as soon as I create it.
Please mirror this bug report to RedHat and to Issue Tracker.
I would also like email@example.com and firstname.lastname@example.org be added to the CC
----- Additional Comments From email@example.com 2006-09-19 15:19 EDT -------
I'm not sure this was mirrored correctly; I think the Issue Tracker numbers
start with "RIT".
----- Additional Comments From firstname.lastname@example.org (prefers email at email@example.com) 2006-09-19 15:39 EDT -------
My understanding is that we mirror with Issue Tracker for the RHEL products
and use Red Hat Bugzilla for Fedora or testing unreleased versions.
----- Additional Comments From firstname.lastname@example.org 2006-09-19 16:12 EDT -------
OK - I was thinking she was using the beta, but now I see she said rawhide.
----- Additional Comments From email@example.com 2006-09-19 17:02 EDT -------
I have compiled and tested this patch against rawhide kernel,
I have also compiled against, linux-2.6.17+patch-2.6.18-rc7+2.6.18-rc7-mm1
and will post to firstname.lastname@example.org for upstream acceptance.
diff -urpN linux-2.6.17.orig/net/xfrm/xfrm_policy.c
--- linux-2.6.17.orig/net/xfrm/xfrm_policy.c 2006-09-19 02:11:33.000000000 -0500
+++ linux-2.6.17.patch/net/xfrm/xfrm_policy.c 2006-09-19 04:33:50.000000000 -0500
@@ -319,6 +319,7 @@ struct xfrm_policy *xfrm_policy_alloc(gf
policy->timer.data = (unsigned long)policy;
policy->timer.function = xfrm_policy_timer;
+ policy->security = NULL;
----- Additional Comments From email@example.com 2006-09-20 16:08 EDT -------
the patch posted yesterday is incorrect. will post the correct patch later today
----- Additional Comments From firstname.lastname@example.org 2006-09-21 18:06 EDT -------
The bug was not in the kernel code, but in the racoon utility.
The racoon utility is the IKE daemon used to configure SAs in IPSec.
I have integrated the fix for this into the racoon patch which was posted
today on redhat-lspp mailing list.
Created attachment 136943 [details]
Latest LSPP racoon patch
This is the latest patch to solve the problem in this bug report. Please apply.
security.c:257: error: 'ASSOCIATION__POLMATCH' undeclared (first use in this
$ rpm -q libselinux-devel libsepol-devel
Found an unapplied patch to libselinux that provides this define. We'll update
this bug with the new libselinux-devel version when its built...which will be soon.
New libselinux-devel package is available. Add a BuildRequires for
> New libselinux-devel package is available
$ brew latest-pkg dist-fc6 libselinux
Build Tag Built by
---------------------------------------- -------------------- ----------------
libselinux-1.30.28-1 dist-fc6 dwalsh
oh... is in -HEAD...
----- Additional Comments From email@example.com 2007-01-17 10:47 EDT -------
I have tested this and it is working properly.