Red Hat Bugzilla – Bug 449933
buffer overflow when using command `ip xfrm`
Last modified: 2011-01-24 18:04:01 EST
Description of problem:
When I want to use `ip xfrm` to config a manual keying connection
with two host.
It always return "*** buffer overflow detected ***: ip terminated"
I find xfrm in kernel source code so I submit it as a kernel bug.
I also provide the version for iproute
Version-Release number of selected component (if applicable):
kernel version 2.6.18-92.el5
Steps to Reproduce:
1.config your network set up two host with follow ipv6 address
2.# ip xfrm state add src 3ffe:501:ffff:104::10 dst 3ffe:501:ffff:104::11 proto
esp spi 0x100 auth 3des "a" mode transport
*** buffer overflow detected ***: ip terminated
======= Backtrace: =========
======= Memory map: ========
00416000-00425000 r-xp 00000000 08:05 11175434 /lib/libresolv-2.5.so
00425000-00426000 r-xp 0000e000 08:05 11175434 /lib/libresolv-2.5.so
00426000-00427000 rwxp 0000f000 08:05 11175434 /lib/libresolv-2.5.so
00427000-00429000 rwxp 00427000 00:00 0
00563000-00564000 r-xp 00563000 00:00 0 [vdso]
00942000-0095c000 r-xp 00000000 08:05 11175418 /lib/ld-2.5.so
0095c000-0095d000 r-xp 00019000 08:05 11175418 /lib/ld-2.5.so
0095d000-0095e000 rwxp 0001a000 08:05 11175418 /lib/ld-2.5.so
00960000-00a9d000 r-xp 00000000 08:05 11175419 /lib/libc-2.5.so
00a9d000-00a9f000 r-xp 0013d000 08:05 11175419 /lib/libc-2.5.so
00a9f000-00aa0000 rwxp 0013f000 08:05 11175419 /lib/libc-2.5.so
00aa0000-00aa3000 rwxp 00aa0000 00:00 0
00c26000-00c31000 r-xp 00000000 08:05 11174110 /lib/libgcc_s-4.1.2-20080102.so.1
00c31000-00c32000 rwxp 0000a000 08:05 11174110 /lib/libgcc_s-4.1.2-20080102.so.1
08048000-08070000 r-xp 00000000 08:05 10158199 /sbin/ip
08070000-08074000 rw-p 00027000 08:05 10158199 /sbin/ip
08086000-080a7000 rw-p 08086000 00:00 0
b7fdb000-b7fdd000 rw-p b7fdb000 00:00 0
bfd06000-bfd1c000 rw-p bfd06000 00:00 0 [stack]
state establish success
I did not find a man page for 'ip xfrm'.
I write the command according to the usage
I also have add a policy between two host using
[root@server ~]# ip xfrm policy add dir in src 3ffe:501:ffff:104::10 dst
[root@server ~]# ip xfrm policy list
src 3ffe:501:ffff:104::10/128 dst 3ffe:501:ffff:104::11/128
dir in priority 0
And I change the value of ALGOKEY for many time all show buffer overflow
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
*** Bug 444724 has been marked as a duplicate of this bug. ***
What are you trying to set up here? An integrity-only ESP SA? The keyword "auth"
takes an integrity algorithm, but 3des is a confidentiality algorithm. So
perhaps you want to s/auth/enc/?
The problem is that iproute does not check its parameters for correctness enough.
If the parameters are incorrect, iproute should not crash, but write some
readable error message. I tried different combination of parametres and it's
crashing after applying patch for xfrm support in this case :(
ip is not a privileged command so it crashing on bogus parameters is hardly an
I thought so, I'll give back low priority.
*** Bug 458480 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.