Bug 449933 - buffer overflow when using command `ip xfrm`
buffer overflow when using command `ip xfrm`
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iproute (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Marcela Mašláňová
Brock Organ
:
: 444724 458480 (view as bug list)
Depends On:
Blocks: 253764
  Show dependency treegraph
 
Reported: 2008-06-04 07:09 EDT by Yang Ren
Modified: 2011-01-24 18:04 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 17:00:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for segfault with wrong key (545 bytes, patch)
2008-07-07 04:33 EDT, Marcela Mašláňová
no flags Details | Diff

  None (edit)
Description Yang Ren 2008-06-04 07:09:21 EDT
Description of problem:
When I want to use `ip xfrm` to config a manual keying connection
 with two host.
It always return "*** buffer overflow detected ***: ip terminated"

I find xfrm in kernel source code so I submit it as a kernel bug.
I also provide the version for iproute

Version-Release number of selected component (if applicable):
kernel version 2.6.18-92.el5
iproute-2.6.18-7.el5

How reproducible:
always

Steps to Reproduce:
1.config your network set up two host with follow ipv6 address
3ffe:501:ffff:104::10 3ffe:501:ffff:104::11
2.# ip xfrm state add src 3ffe:501:ffff:104::10 dst 3ffe:501:ffff:104::11 proto
esp spi 0x100 auth 3des "a" mode transport
  
Actual results:
*** buffer overflow detected ***: ip terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xa44e41]
/lib/libc.so.6[0xa4444c]
ip[0x805feac]
ip[0x8060f90]
ip[0x804940c]
ip[0x8049a3e]
/lib/libc.so.6(__libc_start_main+0xdc)[0x975dec]
ip[0x8049301]
======= Memory map: ========
00416000-00425000 r-xp 00000000 08:05 11175434   /lib/libresolv-2.5.so
00425000-00426000 r-xp 0000e000 08:05 11175434   /lib/libresolv-2.5.so
00426000-00427000 rwxp 0000f000 08:05 11175434   /lib/libresolv-2.5.so
00427000-00429000 rwxp 00427000 00:00 0 
00563000-00564000 r-xp 00563000 00:00 0          [vdso]
00942000-0095c000 r-xp 00000000 08:05 11175418   /lib/ld-2.5.so
0095c000-0095d000 r-xp 00019000 08:05 11175418   /lib/ld-2.5.so
0095d000-0095e000 rwxp 0001a000 08:05 11175418   /lib/ld-2.5.so
00960000-00a9d000 r-xp 00000000 08:05 11175419   /lib/libc-2.5.so
00a9d000-00a9f000 r-xp 0013d000 08:05 11175419   /lib/libc-2.5.so
00a9f000-00aa0000 rwxp 0013f000 08:05 11175419   /lib/libc-2.5.so
00aa0000-00aa3000 rwxp 00aa0000 00:00 0 
00c26000-00c31000 r-xp 00000000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
00c31000-00c32000 rwxp 0000a000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
08048000-08070000 r-xp 00000000 08:05 10158199   /sbin/ip
08070000-08074000 rw-p 00027000 08:05 10158199   /sbin/ip
08086000-080a7000 rw-p 08086000 00:00 0 
b7fdb000-b7fdd000 rw-p b7fdb000 00:00 0 
bfd06000-bfd1c000 rw-p bfd06000 00:00 0          [stack]
Aborted

Expected results:
state establish success

Additional info:
I did not find a man page for 'ip xfrm'.
I write the command according to the usage
I also have add a policy between two host using
[root@server ~]# ip xfrm policy add dir in src 3ffe:501:ffff:104::10 dst
3ffe:501:ffff:104::11
[root@server ~]# ip xfrm policy list
src 3ffe:501:ffff:104::10/128 dst 3ffe:501:ffff:104::11/128 
	dir in priority 0 

And I change the value of ALGOKEY for many time all show buffer overflow
Comment 2 RHEL Product and Program Management 2008-06-04 09:53:45 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Marcela Mašláňová 2008-06-04 10:46:29 EDT
*** Bug 444724 has been marked as a duplicate of this bug. ***
Comment 4 Herbert Xu 2008-06-05 01:00:16 EDT
What are you trying to set up here? An integrity-only ESP SA? The keyword "auth"
takes an integrity algorithm, but 3des is a confidentiality algorithm.  So
perhaps you want to s/auth/enc/?
Comment 5 Marcela Mašláňová 2008-06-05 02:50:59 EDT
The problem is that iproute does not check its parameters for correctness enough. 
If the parameters are incorrect, iproute should not crash, but write some
readable error message. I tried different combination of parametres and it's
crashing after applying patch for xfrm support in this case :(
Comment 6 Herbert Xu 2008-06-05 03:04:42 EDT
ip is not a privileged command so it crashing on bogus parameters is hardly an
important issue.
Comment 7 Marcela Mašláňová 2008-06-05 03:14:24 EDT
I thought so, I'll give back low priority.
Comment 18 Marcela Mašláňová 2008-08-11 03:08:44 EDT
*** Bug 458480 has been marked as a duplicate of this bug. ***
Comment 22 errata-xmlrpc 2009-01-20 17:00:14 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0204.html

Note You need to log in before you can comment on or make changes to this bug.