bin/44951: setkey accesses uninitialised memory

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/44951: setkey accesses uninitialised memory
From: Wolfgang.Stukenbrock%nagler-company.com@localhost
Date: Tue, 10 May 2011 17:10:01 +0000 (UTC)

>Number:         44951
>Category:       bin
>Synopsis:       setkey accesses uninitialised memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue May 10 17:10:00 +0000 2011
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
        
        
System: NetBSD s0g7 5.1 NetBSD 5.1 (NSW-locationGW_2) #2: Mon Mar 7 10:35:06 
CET 2011 
wgstuken@s012:/export/NetBSD-5.1/N+C-build/.OBJDIR_amd64/export/NetBSD-5.1/src/sys/arch/amd64/compile/NSW-locationGW_2
 amd64
Architecture: x86_64
Machine: amd64
>Description:
        If setkey is run in verbose mode, there are some "old" code fragments,
        that access uninitialized memory.
        The problem is located in the postproc() routine, that assumes that the 
next
        message for dump and spddump commands is in the memory just behind the 
current
        message. This is true when read from a file, but not true when getting 
messages
        from the socket.
>How-To-Repeat:
        Setup some SA and/or SPD entriy and run "setkey -vD" or "setkey -vaD".
>Fix:
        The following patch to 
/usr/src/crypto/dist/ipsec-tools/src/setkey/setkey.c
        will fix the problem:

--- setkey.c    2011/05/10 17:00:44     1.1
+++ setkey.c    2011/05/10 17:02:32
@@ -593,12 +593,6 @@
                        else
                                pfkey_sadump(msg);
                }
-               msg = (struct sadb_msg *)((caddr_t)msg +
-                                    PFKEY_UNUNIT64(msg->sadb_msg_len));
-               if (f_verbose) {
-                       kdebug_sadb((struct sadb_msg *)msg);
-                       printf("\n");
-               }
                break;
 
        case SADB_X_SPDGET:
@@ -613,13 +607,6 @@
                        pfkey_spdump_withports(msg);
                else
                        pfkey_spdump(msg);
-               if (msg->sadb_msg_seq == 0) break;
-               msg = (struct sadb_msg *)((caddr_t)msg +
-                                    PFKEY_UNUNIT64(msg->sadb_msg_len));
-               if (f_verbose) {
-                       kdebug_sadb((struct sadb_msg *)msg);
-                       printf("\n");
-               }
                break;
 #ifdef HAVE_PFKEY_POLICY_PRIORITY
        case SADB_X_SPDADD:
@@ -707,6 +694,10 @@
        while (p < ep) {
                msg = (struct sadb_msg *)p;
                len = PFKEY_UNUNIT64(msg->sadb_msg_len);
+               if (f_verbose) {
+                       kdebug_sadb((struct sadb_msg *)msg);
+                       printf("\n");
+               }
                postproc(msg, len);
                p += len;
        }

>Unformatted:

Prev by Date: Re: kern/44950: fcntl(F_MAXFD) returns bogus values
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: kern/44950: fcntl(F_MAXFD) returns bogus values
Next by Thread: Re: kern/44950 (fcntl(F_MAXFD) returns bogus values)
Indexes:

Home | Main Index | Thread Index | Old Index