Description of problem: When racoon receives a security context in the ACQUIRE message, the length of the security context is not checked. Instead it stuffed into a buffer[50]. When a very large context is sent a buffer overflow occurs. Version-Release number of selected component (if applicable): ipsec-tools-0.6.5-6.3.el5 How reproducible: Happens whenever you send a large security context. Steps to Reproduce: 1.configure labeled ipsec 2. runcon "root:sysadm_r:sysadm_t:s2:c0,c2,c4,c6,c8,c10,c12,c14,c16,c18,c20,c22,c2 4,c26,c28,c30,c32,c34,c36,c38,c40,c42,c44,c46,c48,c50,c52,c54,c56,c58,c6 0,c62,c64,c66,c68,c70,c72,c74,c76,c78,c80,c82,c84,c86,c88,c90,c92,c94,c9 6,c98,c100,c102,c104,c106,c108,c110,c112,c114,c116,c118,c120,c122,c124,c 126,c128,c130,c132,c134,c136,c138,c140,c142,c144,c146,c148,c150,c152,c15 4,c156,c158,c160,c162,c164,c166,c168,c170,c172,c174,c176,c178,c180,c182, c184,c186,c188,c190,c192,c194,c196,c198,c200,c202,c204,c206,c208,c210,c2 12,c214,c216,c218,c220,c222,c224,c226,c228,c230,c232,c234,c236,c238,c240 ,c242,c244,c246,c248,c250,c252,c254,c256,c258,c260,c262,c264,c266,c268,c 270,c272,c274,c276,c278,c280,c282,c284,c286,c288,c290,c292,c294,c296,c29 8,c300,c302,c304,c306,c308,c310,c312,c314,c316,c318,c320,c322,c324,c326, c328,c330,c332,c334,c336,c338,c340,c342,c344,c346,c348,c350,c352,c354,c3 56,c358,c360,c362,c364,c366,c368,c370,c372,c374,c376,c378,c380,c382,c384 ,c386,c388,c390,c392,c394,c396,c398,c400,c402,c404,c406,c408,c410,c412,c 414,c416,c418,c420,c422,c424,c426,c428,c430,c432,c434,c436,c438,c440,c44 2,c444,c446,c448,c450,c452,c454,c456,c458,c460,c462,c464,c466,c468,c470, c472,c474,c476,c478,c480,c482,c484,c486,c488,c490,c492,c494,c496,c498,c5 00,c502,c504,c506,c508,c510,c512,c514,c516,c518,c520,c522,c524,c526,c528 ,c530,c532,c534,c536,c538,c540,c542,c544,c546,c548,c550,c552,c554,c556,c 558,c560,c562,c564,c566,c568,c570,c572,c574,c576,c578,c580,c582,c584,c58 6,c588,c590,c592,c594,c596,c598,c600,c602,c604,c606,c608,c610,c612,c614, c616,c618,c620,c622,c624,c626,c628,c630,c632,c634,c636,c638,c640,c642,c6 44,c646,c648,c650,c652,c654,c656,c658,c660,c662,c664,c666,c668,c670,c672 ,c674,c676,c678,c680,c682,c684,c686,c688,c690,c692,c694,c696,c698,c700,c 702,c704,c706,c708,c710,c712,c714,c716,c718,c720,c722,c724,c726,c728,c73 0,c732,c734,c736,c738,c740,c742,c744,c746,c748,c750,c752,c754,c756,c758, c760,c762,c764,c766,c768,c770,c772,c774,c776,c778,c780,c782,c784,c786,c7 88,c790,c792,c794,c796,c798,c800,c802,c804,c806,c808,c810,c812,c814,c816 ,c818,c820,c822,c824,c826,c828,c830,c832,c834,c836,c838,c840,c842,c844,c 846,c848,c850,c852,c854,c856,c858,c860,c862,c864,c866,c868,c870,c872,c87 4,c876,c878,c880,c882,c884,c886,c888,c890,c892,c894,c896,c898,c900,c902, c904,c906,c908,c910,c912,c914,c916,c918,c920,c922,c924,c926,c928,c930,c9 32,c934,c936,c938,c940,c942,c944,c946,c948,c950,c952,c954,c956,c958,c960 ,c962,c964,c966,c968,c970,c972,c974,c976,c978,c980,c982,c984,c986,c988,c 990,c992,c994,c996,c998,c1000,c1002,c1004,c1006,c1008,c1010,c1012,c1014, c1016,c1018,c1020,c1022" -- ping <remote host> Actual results: racoon dies. Expected results: should throw an error and end negotiation Additional info: Will fix tonight.
Joy, do you want me to write the patch for this or are you working on it? I think its a matter of changing ctx_str to be a pointer to memory rather than an array and adding the allocation/free calls.
Steve, that would be great, thanks!
Created attachment 152458 [details] patch increasing buffer size This is a quick and dirty patch that will let people continue testing. A better patch would allocate security_ctx as a variable sized struct.
Created attachment 152467 [details] Check that security context string doesn't overflow the buffer. Steve bumping up MAX for security context string length sounds ok to me. I also included this patch to make sure we check for buffer overflow.
ipsec-tools-0.6.5-6.4 was built with both of the above patches. Retest is needed.
I am using the new ipsec-tools and racoon and all appears to be working well. Consider this retested.