Created attachment 486434 [details] xl2tpd-buffer-overrun.patch Description of problem: Use a 16-character secret in l2tp-secrets, or shorter. bufferDump() function fails (gcc stack overflow test catches it and aborts the program) by overwriting the end of the 'line' buffer if a multiple-of-16-length string (such as the expansion of an md5sum field, or the 16 characters of the secret. Version-Release number of selected component (if applicable): 1.2.7-1.f14 How reproducible: easily Steps to Reproduce: 1. see above 2. 3. Actual results: xl2tpd[30300]: handle_challenge: making response for tunnel: 960 xl2tpd[30300]: get_secret: we are '*', they are '*', secret is '"abcdefghijklmnop"' xl2tpd[30300]: *handle_challenge: Here comes the chal->ss: xl2tpd[30300]: bufferDump: buffer[0]: *02* xl2tpd[30300]: handle_challenge: Here comes the secret xl2tpd[30300]: bufferDump: buflen=18, buffer[0]: *226162636465666768696a6b6c6d6e6f* xl2tpd[30300]: bufferDump: buffer[1]: *7022* *** stack smashing detected ***: /usr/sbin/xl2tpd terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x4d)[0x2c55dd] /lib/libc.so.6[0x2c558a] /usr/sbin/xl2tpd[0x804c14d] /usr/sbin/xl2tpd[0x805a4a8] /usr/sbin/xl2tpd[0x804e44f] /usr/sbin/xl2tpd[0x805642a] /usr/sbin/xl2tpd[0x804baea] /lib/libc.so.6(__libc_start_main+0xe6)[0x1eae36] /usr/sbin/xl2tpd[0x8049311] ======= Memory map: ======== 00110000-00111000 r-xp 00000000 00:00 0 [vdso] 001b3000-001d0000 r-xp 00000000 08:06 3080245 /lib/ld-2.13.so 001d0000-001d1000 r--p 0001c000 08:06 3080245 /lib/ld-2.13.so 001d1000-001d2000 rw-p 0001d000 08:06 3080245 /lib/ld-2.13.so 001d4000-00357000 r-xp 00000000 08:06 3080568 /lib/libc-2.13.so 00357000-00358000 ---p 00183000 08:06 3080568 /lib/libc-2.13.so 00358000-0035a000 r--p 00183000 08:06 3080568 /lib/libc-2.13.so 0035a000-0035b000 rw-p 00185000 08:06 3080568 /lib/libc-2.13.so 0035b000-0035e000 rw-p 00000000 00:00 0 003c7000-003e3000 r-xp 00000000 08:06 3080764 /lib/libgcc_s-4.5.1-20100924.so.1 003e3000-003e4000 rw-p 0001b000 08:06 3080764 /lib/libgcc_s-4.5.1-20100924.so.1 08048000-08064000 r-xp 00000000 08:06 216980 /usr/sbin/xl2tpd 08064000-08065000 rw-p 0001b000 08:06 216980 /usr/sbin/xl2tpd 08065000-08089000 rw-p 00000000 00:00 0 [heap] b7fe4000-b7fe5000 rw-p 00000000 00:00 0 b7fff000-b8000000 rw-p 00000000 00:00 0 bffdf000-c0000000 rw-p 00000000 00:00 0 [stack] Program received signal SIGABRT, Aborted. 0x00110416 in __kernel_vsyscall () (gdb) bt #0 0x00110416 in __kernel_vsyscall () #1 0x001ff2f1 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0x00200d5e in abort () at abort.c:92 #3 0x0023b51d in __libc_message (do_abort=2, fmt=0x31f4cb "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186 #4 0x002c55dd in __fortify_fail (msg=0x31f4b3 "stack smashing detected") at fortify_fail.c:32 #5 0x002c558a in __stack_chk_fail () at stack_chk_fail.c:29 #6 0x0804c14d in bufferDump (buf=0x8069bb9 "\"abcdefghijklmnop\"", buflen=18) at misc.c:144 #7 0x0805a4a8 in handle_challenge (t=0x8069a00, chal=0x8069b60) at aaa.c:267 #8 0x0804e44f in control_finish (t=0x8069a00, c=0x8069e10) at control.c:462 #9 0x0805642a in network_thread () at network.c:555 #10 0x0804baea in main (argc=2, argv=0xbffff6c4) at xl2tpd.c:1313 Expected results: no failure Additional info: see attached patch which fixes it.
fixed in the upstream git repo. Thanks! As I'm upstream and packager, I'll release 1.2.9 in the next few days, then package that up.
Fixed in 1.2.9, but not all branches have been updated yet. Will sync all of them to 1.3.1