Bug 449933 - buffer overflow when using command `ip xfrm`
Summary: buffer overflow when using command `ip xfrm`
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iproute
Version: 5.2
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Marcela Mašláňová
QA Contact: Brock Organ
URL:
Whiteboard:
: 444724 458480 (view as bug list)
Depends On:
Blocks: 253764
TreeView+ depends on / blocked
 
Reported: 2008-06-04 11:09 UTC by Yang Ren
Modified: 2018-10-19 18:56 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-20 22:00:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Fix for segfault with wrong key (545 bytes, patch)
2008-07-07 08:33 UTC, Marcela Mašláňová
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0204 0 normal SHIPPED_LIVE iproute bug fix and enhancement update 2009-01-20 16:06:11 UTC

Description Yang Ren 2008-06-04 11:09:21 UTC
Description of problem:
When I want to use `ip xfrm` to config a manual keying connection
 with two host.
It always return "*** buffer overflow detected ***: ip terminated"

I find xfrm in kernel source code so I submit it as a kernel bug.
I also provide the version for iproute

Version-Release number of selected component (if applicable):
kernel version 2.6.18-92.el5
iproute-2.6.18-7.el5

How reproducible:
always

Steps to Reproduce:
1.config your network set up two host with follow ipv6 address
3ffe:501:ffff:104::10 3ffe:501:ffff:104::11
2.# ip xfrm state add src 3ffe:501:ffff:104::10 dst 3ffe:501:ffff:104::11 proto
esp spi 0x100 auth 3des "a" mode transport
  
Actual results:
*** buffer overflow detected ***: ip terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xa44e41]
/lib/libc.so.6[0xa4444c]
ip[0x805feac]
ip[0x8060f90]
ip[0x804940c]
ip[0x8049a3e]
/lib/libc.so.6(__libc_start_main+0xdc)[0x975dec]
ip[0x8049301]
======= Memory map: ========
00416000-00425000 r-xp 00000000 08:05 11175434   /lib/libresolv-2.5.so
00425000-00426000 r-xp 0000e000 08:05 11175434   /lib/libresolv-2.5.so
00426000-00427000 rwxp 0000f000 08:05 11175434   /lib/libresolv-2.5.so
00427000-00429000 rwxp 00427000 00:00 0 
00563000-00564000 r-xp 00563000 00:00 0          [vdso]
00942000-0095c000 r-xp 00000000 08:05 11175418   /lib/ld-2.5.so
0095c000-0095d000 r-xp 00019000 08:05 11175418   /lib/ld-2.5.so
0095d000-0095e000 rwxp 0001a000 08:05 11175418   /lib/ld-2.5.so
00960000-00a9d000 r-xp 00000000 08:05 11175419   /lib/libc-2.5.so
00a9d000-00a9f000 r-xp 0013d000 08:05 11175419   /lib/libc-2.5.so
00a9f000-00aa0000 rwxp 0013f000 08:05 11175419   /lib/libc-2.5.so
00aa0000-00aa3000 rwxp 00aa0000 00:00 0 
00c26000-00c31000 r-xp 00000000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
00c31000-00c32000 rwxp 0000a000 08:05 11174110   /lib/libgcc_s-4.1.2-20080102.so.1
08048000-08070000 r-xp 00000000 08:05 10158199   /sbin/ip
08070000-08074000 rw-p 00027000 08:05 10158199   /sbin/ip
08086000-080a7000 rw-p 08086000 00:00 0 
b7fdb000-b7fdd000 rw-p b7fdb000 00:00 0 
bfd06000-bfd1c000 rw-p bfd06000 00:00 0          [stack]
Aborted

Expected results:
state establish success

Additional info:
I did not find a man page for 'ip xfrm'.
I write the command according to the usage
I also have add a policy between two host using
[root@server ~]# ip xfrm policy add dir in src 3ffe:501:ffff:104::10 dst
3ffe:501:ffff:104::11
[root@server ~]# ip xfrm policy list
src 3ffe:501:ffff:104::10/128 dst 3ffe:501:ffff:104::11/128 
	dir in priority 0 

And I change the value of ALGOKEY for many time all show buffer overflow

Comment 2 RHEL Program Management 2008-06-04 13:53:45 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 3 Marcela Mašláňová 2008-06-04 14:46:29 UTC
*** Bug 444724 has been marked as a duplicate of this bug. ***

Comment 4 Herbert Xu 2008-06-05 05:00:16 UTC
What are you trying to set up here? An integrity-only ESP SA? The keyword "auth"
takes an integrity algorithm, but 3des is a confidentiality algorithm.  So
perhaps you want to s/auth/enc/?

Comment 5 Marcela Mašláňová 2008-06-05 06:50:59 UTC
The problem is that iproute does not check its parameters for correctness enough. 
If the parameters are incorrect, iproute should not crash, but write some
readable error message. I tried different combination of parametres and it's
crashing after applying patch for xfrm support in this case :(


Comment 6 Herbert Xu 2008-06-05 07:04:42 UTC
ip is not a privileged command so it crashing on bogus parameters is hardly an
important issue.

Comment 7 Marcela Mašláňová 2008-06-05 07:14:24 UTC
I thought so, I'll give back low priority.

Comment 18 Marcela Mašláňová 2008-08-11 07:08:44 UTC
*** Bug 458480 has been marked as a duplicate of this bug. ***

Comment 22 errata-xmlrpc 2009-01-20 22:00:14 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0204.html


Note You need to log in before you can comment on or make changes to this bug.