ip xfrm state add crashes when supplied an algo
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iproute2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
This is valid for iproute2-ss111117 which is default on Ubuntu 12.04 (LTS).
The crash appends when supplying enc, auth, comp, auth-trunc or aead and the following key argumentis given as a string (as opposed to hexadecimal). When trying to copy the key, it generates a segfault:
-------
*** buffer overflow detected ***: /sbin/ip terminated
======= Backtrace: =========
/lib/x86_
/lib/x86_
/lib/x86_
/sbin/ip[0x420d84]
/sbin/ip(
/sbin/ip[0x405ad5]
/sbin/ip(
/lib/x86_
/sbin/ip[0x405959]
-------
This buffer overflow is actually preposterous since __strncpy_chk is called with 0 as its last argument:
0x0000000000
0x0000000000
0x0000000000
0x0000000000
=> 0x0000000000420d7f: callq 0x404a10 <__strncpy_chk@plt>
("xor %ecx,%ecx" set the fourth argument to 0)
Which is equivalent to:
__strncpy_chk(buf, key, len, 0);
When obtaining the source package, the corresponding code looks like that (from ip/xfrm_state.c, line 113):
static int xfrm_algo_
{
int len;
int slen = strlen(key);
#if 0
/* XXX: verifying both name and key is required! */
#endif
if (slen > 2 && strncmp(key, "0x", 2) == 0) {
<snip>
} else {
len = slen;
if (len > 0) {
}
}
return 0;
}
This code is actually valid but doesn't match the assembly from the binary package.
This is quite annoying since it prevents from setting keys in a string form, thus forcing the user to derivates itself the hexadecimal value for the key when trying to setup an IPsec tunnel for example.
Hi,
I come by cleaning up old issues.
So first of all I beg your pardon that nobody seems to ever have looked at that.
Never the less I have to ask you if this would still happen on newer still supported releases?
If so, it would be great if you could add the steps to reproduce.
Essentially convert the sentence "when supplying enc, auth, comp, auth-trunc or aead and the following key argumentis given as a string" into a series of commands to ensure one does the same when trying to reproduce.