236121 – LSPP: racoon has a buffer overflow when receiving large security context from kernel

Bug 236121 - LSPP: racoon has a buffer overflow when receiving large security context from kernel

Summary: LSPP: racoon has a buffer overflow when receiving large security context from...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	ipsec-tools
Sub Component:
Version:	5.0
Hardware:	powerpc
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Steve Conklin
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	RHEL5LSPPCertTracker
TreeView+	depends on / blocked

Reported:	2007-04-12 00:32 UTC by Joy Latten
Modified:	2007-11-30 22:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:	RHSA-2007-0342
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-06-27 14:14:38 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch increasing buffer size (748 bytes, patch) 2007-04-12 15:04 UTC, Steve Grubb	no flags	Details \| Diff
Check that security context string doesn't overflow the buffer. (699 bytes, patch) 2007-04-12 15:37 UTC, Joy Latten	no flags	Details \| Diff
View All

Description Joy Latten 2007-04-12 00:32:10 UTC

Description of problem:
When racoon receives a security context in the ACQUIRE message, the
length of the security context is not checked. Instead it stuffed into 
a buffer[50]. When a very large context is sent a buffer overflow occurs.

Version-Release number of selected component (if applicable):

ipsec-tools-0.6.5-6.3.el5

How reproducible:
Happens whenever you send a large security context.

Steps to Reproduce:
1.configure labeled ipsec
2. runcon  
"root:sysadm_r:sysadm_t:s2:c0,c2,c4,c6,c8,c10,c12,c14,c16,c18,c20,c22,c2 
4,c26,c28,c30,c32,c34,c36,c38,c40,c42,c44,c46,c48,c50,c52,c54,c56,c58,c6 
0,c62,c64,c66,c68,c70,c72,c74,c76,c78,c80,c82,c84,c86,c88,c90,c92,c94,c9 
6,c98,c100,c102,c104,c106,c108,c110,c112,c114,c116,c118,c120,c122,c124,c 
126,c128,c130,c132,c134,c136,c138,c140,c142,c144,c146,c148,c150,c152,c15 
4,c156,c158,c160,c162,c164,c166,c168,c170,c172,c174,c176,c178,c180,c182, 
c184,c186,c188,c190,c192,c194,c196,c198,c200,c202,c204,c206,c208,c210,c2 
12,c214,c216,c218,c220,c222,c224,c226,c228,c230,c232,c234,c236,c238,c240 
,c242,c244,c246,c248,c250,c252,c254,c256,c258,c260,c262,c264,c266,c268,c 
270,c272,c274,c276,c278,c280,c282,c284,c286,c288,c290,c292,c294,c296,c29 
8,c300,c302,c304,c306,c308,c310,c312,c314,c316,c318,c320,c322,c324,c326, 
c328,c330,c332,c334,c336,c338,c340,c342,c344,c346,c348,c350,c352,c354,c3 
56,c358,c360,c362,c364,c366,c368,c370,c372,c374,c376,c378,c380,c382,c384 
,c386,c388,c390,c392,c394,c396,c398,c400,c402,c404,c406,c408,c410,c412,c 
414,c416,c418,c420,c422,c424,c426,c428,c430,c432,c434,c436,c438,c440,c44 
2,c444,c446,c448,c450,c452,c454,c456,c458,c460,c462,c464,c466,c468,c470, 
c472,c474,c476,c478,c480,c482,c484,c486,c488,c490,c492,c494,c496,c498,c5 
00,c502,c504,c506,c508,c510,c512,c514,c516,c518,c520,c522,c524,c526,c528 
,c530,c532,c534,c536,c538,c540,c542,c544,c546,c548,c550,c552,c554,c556,c 
558,c560,c562,c564,c566,c568,c570,c572,c574,c576,c578,c580,c582,c584,c58 
6,c588,c590,c592,c594,c596,c598,c600,c602,c604,c606,c608,c610,c612,c614, 
c616,c618,c620,c622,c624,c626,c628,c630,c632,c634,c636,c638,c640,c642,c6 
44,c646,c648,c650,c652,c654,c656,c658,c660,c662,c664,c666,c668,c670,c672 
,c674,c676,c678,c680,c682,c684,c686,c688,c690,c692,c694,c696,c698,c700,c 
702,c704,c706,c708,c710,c712,c714,c716,c718,c720,c722,c724,c726,c728,c73 
0,c732,c734,c736,c738,c740,c742,c744,c746,c748,c750,c752,c754,c756,c758, 
c760,c762,c764,c766,c768,c770,c772,c774,c776,c778,c780,c782,c784,c786,c7 
88,c790,c792,c794,c796,c798,c800,c802,c804,c806,c808,c810,c812,c814,c816 
,c818,c820,c822,c824,c826,c828,c830,c832,c834,c836,c838,c840,c842,c844,c 
846,c848,c850,c852,c854,c856,c858,c860,c862,c864,c866,c868,c870,c872,c87 
4,c876,c878,c880,c882,c884,c886,c888,c890,c892,c894,c896,c898,c900,c902, 
c904,c906,c908,c910,c912,c914,c916,c918,c920,c922,c924,c926,c928,c930,c9 
32,c934,c936,c938,c940,c942,c944,c946,c948,c950,c952,c954,c956,c958,c960 
,c962,c964,c966,c968,c970,c972,c974,c976,c978,c980,c982,c984,c986,c988,c 
990,c992,c994,c996,c998,c1000,c1002,c1004,c1006,c1008,c1010,c1012,c1014, 
c1016,c1018,c1020,c1022" -- ping <remote host>

  
Actual results:
racoon dies.

Expected results:
should throw an error and end negotiation

Additional info:
Will fix tonight.

Comment 1 Steve Grubb 2007-04-12 14:08:55 UTC

Joy, do you want me to write the patch for this or are you working on it? I
think its a matter of changing ctx_str to be a pointer to memory rather than an
array and adding the allocation/free calls.

Comment 2 Joy Latten 2007-04-12 14:28:04 UTC

Steve, that would be great, thanks!

Comment 3 Steve Grubb 2007-04-12 15:04:31 UTC

Created attachment 152458 [details]
patch increasing buffer size

This is a quick and dirty patch that will let people continue testing. A better
patch would allocate security_ctx as a variable sized struct.

Comment 5 Joy Latten 2007-04-12 15:37:10 UTC

Created attachment 152467 [details]
Check that security context string doesn't overflow the buffer.

Steve bumping up MAX for security context string length sounds ok to me. 
I also included this patch to make sure we check for buffer overflow.

Comment 6 Steve Grubb 2007-04-12 16:13:19 UTC

ipsec-tools-0.6.5-6.4 was built with both of the above patches. Retest is needed.

Comment 7 Joy Latten 2007-04-12 21:12:31 UTC

I am using the new ipsec-tools and racoon and all appears to be working well.
Consider this retested.

Note You need to log in before you can comment on or make changes to this bug.