Bug 449933 - buffer overflow when using command `ip xfrm`
buffer overflow when using command `ip xfrm`
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iproute (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Marcela Mašláňová
Brock Organ
: 444724 458480 (view as bug list)
Depends On:
Blocks: 253764
  Show dependency treegraph
Reported: 2008-06-04 07:09 EDT by Yang Ren
Modified: 2011-01-24 18:04 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 17:00:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix for segfault with wrong key (545 bytes, patch)
2008-07-07 04:33 EDT, Marcela Mašláňová
no flags Details | Diff

  None (edit)
Description Yang Ren 2008-06-04 07:09:21 EDT
Description of problem:
When I want to use `ip xfrm` to config a manual keying connection
 with two host.
It always return "*** buffer overflow detected ***: ip terminated"

I find xfrm in kernel source code so I submit it as a kernel bug.
I also provide the version for iproute

Version-Release number of selected component (if applicable):
kernel version 2.6.18-92.el5

How reproducible:

Steps to Reproduce:
1.config your network set up two host with follow ipv6 address
3ffe:501:ffff:104::10 3ffe:501:ffff:104::11
2.# ip xfrm state add src 3ffe:501:ffff:104::10 dst 3ffe:501:ffff:104::11 proto
esp spi 0x100 auth 3des "a" mode transport
Actual results:
*** buffer overflow detected ***: ip terminated
======= Backtrace: =========
======= Memory map: ========
00416000-00425000 r-xp 00000000 08:05 11175434   /lib/libresolv-2.5.so
00425000-00426000 r-xp 0000e000 08:05 11175434   /lib/libresolv-2.5.so
00426000-00427000 rwxp 0000f000 08:05 11175434   /lib/libresolv-2.5.so
00427000-00429000 rwxp 00427000 00:00 0 
00563000-00564000 r-xp 00563000 00:00 0          [vdso]
00942000-0095c000 r-xp 00000000 08:05 11175418   /lib/ld-2.5.so
0095c000-0095d000 r-xp 00019000 08:05 11175418   /lib/ld-2.5.so
0095d000-0095e000 rwxp 0001a000 08:05 11175418   /lib/ld-2.5.so
00960000-00a9d000 r-xp 00000000 08:05 11175419   /lib/libc-2.5.so
00a9d000-00a9f000 r-xp 0013d000 08:05 11175419   /lib/libc-2.5.so
00a9f000-00aa0000 rwxp 0013f000 08:05 11175419   /lib/libc-2.5.so
00aa0000-00aa3000 rwxp 00aa0000 00:00 0 
00c26000-00c31000 r-xp 00000000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
00c31000-00c32000 rwxp 0000a000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
08048000-08070000 r-xp 00000000 08:05 10158199   /sbin/ip
08070000-08074000 rw-p 00027000 08:05 10158199   /sbin/ip
08086000-080a7000 rw-p 08086000 00:00 0 
b7fdb000-b7fdd000 rw-p b7fdb000 00:00 0 
bfd06000-bfd1c000 rw-p bfd06000 00:00 0          [stack]

Expected results:
state establish success

Additional info:
I did not find a man page for 'ip xfrm'.
I write the command according to the usage
I also have add a policy between two host using
[root@server ~]# ip xfrm policy add dir in src 3ffe:501:ffff:104::10 dst
[root@server ~]# ip xfrm policy list
src 3ffe:501:ffff:104::10/128 dst 3ffe:501:ffff:104::11/128 
	dir in priority 0 

And I change the value of ALGOKEY for many time all show buffer overflow
Comment 2 RHEL Product and Program Management 2008-06-04 09:53:45 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 3 Marcela Mašláňová 2008-06-04 10:46:29 EDT
*** Bug 444724 has been marked as a duplicate of this bug. ***
Comment 4 Herbert Xu 2008-06-05 01:00:16 EDT
What are you trying to set up here? An integrity-only ESP SA? The keyword "auth"
takes an integrity algorithm, but 3des is a confidentiality algorithm.  So
perhaps you want to s/auth/enc/?
Comment 5 Marcela Mašláňová 2008-06-05 02:50:59 EDT
The problem is that iproute does not check its parameters for correctness enough. 
If the parameters are incorrect, iproute should not crash, but write some
readable error message. I tried different combination of parametres and it's
crashing after applying patch for xfrm support in this case :(
Comment 6 Herbert Xu 2008-06-05 03:04:42 EDT
ip is not a privileged command so it crashing on bogus parameters is hardly an
important issue.
Comment 7 Marcela Mašláňová 2008-06-05 03:14:24 EDT
I thought so, I'll give back low priority.
Comment 18 Marcela Mašláňová 2008-08-11 03:08:44 EDT
*** Bug 458480 has been marked as a duplicate of this bug. ***
Comment 22 errata-xmlrpc 2009-01-20 17:00:14 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.