[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 863) Forward: Re: [Ipsec-tools-devel] get_proppair/get_transform bug

To: racoon@kame.net
Subject: (racoon 863) Forward: Re: [Ipsec-tools-devel] get_proppair/get_transform bug
From: KAMADA Ken'ichi <kamada@nanohz.org>
Date: Fri, 19 Nov 2004 11:30:32 +0900
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgo@kame.net
Delivered-to: racoon@kame.net
References: <1gnbgat.8uu0yy17jnnn9M%manu@netbsd.org> <xkvhy8h255ab.fsf@cisco.com> <xkvhsm796f23.fsf@cisco.com> <20041116153542.GN24482@NetBSD.org> <20041116173155.GA3953@cisco.com>
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net
User-agent: Wanderlust/2.11.32 (Wonderwall) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.3.50 (i386-unknown-netbsdelf2.0G) MULE/5.0 (SAKAKI)

KAME racoon also needs to be fixed.

# I think 'if (sa_ret)' is always true though.

-- 
KAMADA Ken'ichi <kamada@nanohz.org>

--- Begin Message ---

To: Emmanuel Dreyfus <manu@netbsd.org>

Subject: Re: [Ipsec-tools-devel] get_proppair/get_transform bug

From: Ganesan R <rganesan@users.sourceforge.net>

Date: Tue, 16 Nov 2004 23:01:55 +0530

Cc: ipsec-tools-devel@lists.sourceforge.net

In-reply-to: <20041116153542.GN24482@NetBSD.org>

List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=ipsec-tools-devel>

List-help: <mailto:ipsec-tools-devel-request@lists.sourceforge.net?subject=help>

List-id: IPsec Tools development list <ipsec-tools-devel.lists.sourceforge.net>

List-post: <mailto:ipsec-tools-devel@lists.sourceforge.net>

List-subscribe: <https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel>, <mailto:ipsec-tools-devel-request@lists.sourceforge.net?subject=subscribe>

List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel>, <mailto:ipsec-tools-devel-request@lists.sourceforge.net?subject=unsubscribe>

References: <1gnbgat.8uu0yy17jnnn9M%manu@netbsd.org> <xkvhy8h255ab.fsf@cisco.com> <xkvhsm796f23.fsf@cisco.com> <20041116153542.GN24482@NetBSD.org>

Sender: ipsec-tools-devel-admin@lists.sourceforge.net

User-agent: Mutt/1.5.6+20040722i
On Tue, Nov 16, 2004 at 03:35:42PM +0000, Emmanuel Dreyfus wrote:
> On Tue, Nov 16, 2004 at 08:01:32PM +0530, Ganesan R wrote:
> > +               p->prop = (struct isakmp_pl_p *) racoon_malloc(sizeof(*prop));
> > +               p->trns = (struct isakmp_pl_t *) racoon_malloc(sizeof(*trns));
> 
> As I understand, both payloards are followed by aribtrary length data.

You're right. However, I think we're barking up the wrong tree.
get_proppair() and get_transform() code appears to be perfectly fine. pbuf
is only a parse buffer, the pointer inside each isakmp_parse_t is pointing
to the sa being passed as the first parameter to get_proppair(). This sa
shouldn't get freed before free_proppair() is called. 

I don't understand why efence complains. Here is what I suspect; in
ipsecdoi_checkph2proposal, we have

	rpair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2);
	
Later, we have code that does	
			     
        /* make a SA to be replayed. */
      	VPTRINIT(iph2->sa_ret);
        iph2->sa_ret = get_sabyproppair(p, iph2->ph1);
	free_proppair0(p);
	if (iph2->sa_ret == NULL)
	      	 goto end;

where, p is a proposal selected from rpair. I think VPTRINIT() is the real
problem. p->prop is still pointing somewhere inside iph2->sa_ret, but we
have freed it already. The patch below should take care of the problem. 

=====
--- ipsec_doi.c.org	2004-11-16 22:59:18.000000000 +0530
+++ ipsec_doi.c	2004-11-16 22:59:58.000000000 +0530
@@ -761,6 +761,7 @@
 	struct prop_pair *p;
 	int i, n, num;
 	int error = -1;
+	vchar_t *sa_ret = NULL;
 
 	/* get proposal pair of SA sent. */
 	spair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
@@ -828,7 +829,7 @@
 		goto end;
 
 	/* make a SA to be replayed. */
-	VPTRINIT(iph2->sa_ret);
+	sa_ret = iph2->sa_ret;
 	iph2->sa_ret = get_sabyproppair(p, iph2->ph1);
 	free_proppair0(p);
 	if (iph2->sa_ret == NULL)
@@ -841,6 +842,8 @@
 		free_proppair(rpair);
 	if (spair)
 		free_proppair(spair);
+	if (sa_ret)
+		vfree(sa_ret);
 
 	return error;
 }

=====

To validate my theory, can you confirm whether efence complains only in
ipsecdoi_checkph2proposal() code path?

Ganesan



-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
--- End Message ---

Prev by Date: (racoon 862) Racoon on Kernel ver2.4.18
Next by Date: (racoon 864) the development situation of the racoon
Previous by thread: (racoon 862) Racoon on Kernel ver2.4.18
Next by thread: (racoon 864) the development situation of the racoon
Index(es):
- Date
- Thread