[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPV4_RANGE causes isakmpd crash
Isakmpd can crash during Phase 2 if a remote host uses ID like
ID_IPV4_RANGE, ID_IPV6_RANGE, ID_DER_ASN1_DN, ID_DER_ASN1_GN et ID_KEY_ID
(read 4.6.2.1 in RFC 2407).
This occurs in ipsec_set_network function in ipsec.c file. There is a 4
switch instructions in which these case are not supported. So when the
execution get out of the switch, some pointers are not filled. Then it
crashes.
ID_IPV4_RANGE is used for example by ZyWall 10.
Here is the patch for isakmpd.
---------- cut here -------------
*** ipsec.c Wed Jun 04 09:31:16 2003
--- ipsec.c.new Tue Jun 10 11:16:42 2003
***************
*** 460,465 ****
--- 460,485 ----
isa->src_mask->sa_len = sizeof (struct sockaddr_in6);
#endif
break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_DN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}
/* Net */
***************
*** 480,485 ****
--- 500,525 ----
sockaddr_addrlen (isa->src_net),
sockaddr_addrlen (isa->src_mask));
break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}
memcpy (&isa->sport, src_id + ISAKMP_ID_DOI_DATA_OFF +
IPSEC_ID_PORT_OFF,
***************
*** 530,535 ****
--- 570,595 ----
isa->dst_mask->sa_len = sizeof (struct sockaddr_in6);
#endif
break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}
/* Net */
***************
*** 550,555 ****
--- 610,635 ----
sockaddr_addrlen (isa->dst_net),
sockaddr_addrlen (isa->dst_mask));
break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}
memcpy (&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF +
IPSEC_ID_PROTO_OFF,
---------- cut here -------------
Eric Boudrand
----- Original Message -----
From: "Cedric Berger" <cedric@berger.to>
To: "Eric Boudrand" <eb@sistech.fr>
Cc: <tech@openbsd.org>
Sent: Tuesday, June 10, 2003 9:45 AM
Subject: Re: IPV4_RANGE causes isakmpd crash
> Eric Boudrand wrote:
>
> >Hi,
> >
> >I have found that isakmpd can crash during Phase 2 if the remote host use
> >IPV4_RANGE IDs. I have also found in which source code file this occurs.
Can
> >I send a patch ?
> >
> Of course!
>
> > And to whom ?
> >
> To that list, or to one of the iksampd developer like niklas@openbsd.org
> or ho@openbsd.org
> Cedric