Bug 689178 - [PATCH] xl2tpd buffer overrun and failure
Summary: [PATCH] xl2tpd buffer overrun and failure
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: xl2tpd   
(Show other bugs)
Version: 14
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-20 04:44 UTC by Matt Domsch
Modified: 2012-02-28 03:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-28 03:05:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
xl2tpd-buffer-overrun.patch (730 bytes, application/octet-stream)
2011-03-20 04:44 UTC, Matt Domsch
no flags Details

Description Matt Domsch 2011-03-20 04:44:20 UTC
Created attachment 486434 [details]
xl2tpd-buffer-overrun.patch

Description of problem:
Use a 16-character secret in l2tp-secrets, or shorter.  bufferDump() function fails (gcc stack overflow test catches it and aborts the program) by overwriting the end of the 'line' buffer if a multiple-of-16-length string (such as the expansion of an md5sum field, or the 16 characters of the secret.

Version-Release number of selected component (if applicable):
1.2.7-1.f14

How reproducible:
easily

Steps to Reproduce:
1. see above
2.
3.
  
Actual results:
xl2tpd[30300]: handle_challenge: making response for tunnel: 960
xl2tpd[30300]: get_secret: we are '*', they are '*', secret is '"abcdefghijklmnop"'
xl2tpd[30300]: *handle_challenge: Here comes the chal->ss:
xl2tpd[30300]: bufferDump:             buffer[0]: *02*
xl2tpd[30300]: handle_challenge: Here comes the secret
xl2tpd[30300]: bufferDump: buflen=18, buffer[0]: *226162636465666768696a6b6c6d6e6f*
xl2tpd[30300]: bufferDump:             buffer[1]: *7022*
*** stack smashing detected ***: /usr/sbin/xl2tpd terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x2c55dd]
/lib/libc.so.6[0x2c558a]
/usr/sbin/xl2tpd[0x804c14d]
/usr/sbin/xl2tpd[0x805a4a8]
/usr/sbin/xl2tpd[0x804e44f]
/usr/sbin/xl2tpd[0x805642a]
/usr/sbin/xl2tpd[0x804baea]
/lib/libc.so.6(__libc_start_main+0xe6)[0x1eae36]
/usr/sbin/xl2tpd[0x8049311]
======= Memory map: ========
00110000-00111000 r-xp 00000000 00:00 0          [vdso]
001b3000-001d0000 r-xp 00000000 08:06 3080245    /lib/ld-2.13.so
001d0000-001d1000 r--p 0001c000 08:06 3080245    /lib/ld-2.13.so
001d1000-001d2000 rw-p 0001d000 08:06 3080245    /lib/ld-2.13.so
001d4000-00357000 r-xp 00000000 08:06 3080568    /lib/libc-2.13.so
00357000-00358000 ---p 00183000 08:06 3080568    /lib/libc-2.13.so
00358000-0035a000 r--p 00183000 08:06 3080568    /lib/libc-2.13.so
0035a000-0035b000 rw-p 00185000 08:06 3080568    /lib/libc-2.13.so
0035b000-0035e000 rw-p 00000000 00:00 0 
003c7000-003e3000 r-xp 00000000 08:06 3080764    /lib/libgcc_s-4.5.1-20100924.so.1
003e3000-003e4000 rw-p 0001b000 08:06 3080764    /lib/libgcc_s-4.5.1-20100924.so.1
08048000-08064000 r-xp 00000000 08:06 216980     /usr/sbin/xl2tpd
08064000-08065000 rw-p 0001b000 08:06 216980     /usr/sbin/xl2tpd
08065000-08089000 rw-p 00000000 00:00 0          [heap]
b7fe4000-b7fe5000 rw-p 00000000 00:00 0 
b7fff000-b8000000 rw-p 00000000 00:00 0 
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0x00110416 in __kernel_vsyscall ()
(gdb) bt
#0  0x00110416 in __kernel_vsyscall ()
#1  0x001ff2f1 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00200d5e in abort () at abort.c:92
#3  0x0023b51d in __libc_message (do_abort=2, fmt=0x31f4cb "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#4  0x002c55dd in __fortify_fail (msg=0x31f4b3 "stack smashing detected") at fortify_fail.c:32
#5  0x002c558a in __stack_chk_fail () at stack_chk_fail.c:29
#6  0x0804c14d in bufferDump (buf=0x8069bb9 "\"abcdefghijklmnop\"", buflen=18) at misc.c:144
#7  0x0805a4a8 in handle_challenge (t=0x8069a00, chal=0x8069b60) at aaa.c:267
#8  0x0804e44f in control_finish (t=0x8069a00, c=0x8069e10) at control.c:462
#9  0x0805642a in network_thread () at network.c:555
#10 0x0804baea in main (argc=2, argv=0xbffff6c4) at xl2tpd.c:1313


Expected results:
no failure

Additional info:
see attached patch which fixes it.

Comment 1 Paul Wouters 2011-03-20 05:31:28 UTC
fixed in the upstream git repo. Thanks!

As I'm upstream and packager, I'll release 1.2.9 in the next few days, then package that up.

Comment 2 Paul Wouters 2011-10-06 02:07:29 UTC
Fixed in 1.2.9, but not all branches have been updated yet. Will sync all of them to 1.3.1


Note You need to log in before you can comment on or make changes to this bug.