Hosting Provided By

Re: IPV4_RANGE causes isakmpd crash

From: Eric Boudrand <eb(at)sistech.fr>
Date: Tue Jun 10 2003 - 05:39:29 EDT

Isakmpd can crash during Phase 2 if a remote host uses ID like ID_IPV4_RANGE, ID_IPV6_RANGE, ID_DER_ASN1_DN, ID_DER_ASN1_GN et ID_KEY_ID (read 4.6.2.1 in RFC 2407).

This occurs in ipsec_set_network function in ipsec.c file. There is a 4 switch instructions in which these case are not supported. So when the execution get out of the switch, some pointers are not filled. Then it crashes.

ID_IPV4_RANGE is used for example by ZyWall 10.

Here is the patch for isakmpd.
---------- cut here -------------
*** ipsec.c Wed Jun 04 09:31:16 2003
--- ipsec.c.new Tue Jun 10 11:16:42 2003

460,465 **** --- 460,485 ---- isa->src_mask->sa_len = sizeof (struct sockaddr_in6); #endif break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_DN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}

/* Net */

480,485 **** --- 500,525 ---- sockaddr_addrlen (isa->src_net), sockaddr_addrlen (isa->src_mask)); break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}

memcpy (&isa->sport, src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,

530,535 **** --- 570,595 ---- isa->dst_mask->sa_len = sizeof (struct sockaddr_in6); #endif break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}

/* Net */

550,555 **** --- 610,635 ---- sockaddr_addrlen (isa->dst_net), sockaddr_addrlen (isa->dst_mask)); break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ log_print("ipsec_set_network: ID_IPV4_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_IPV6_RANGE:
+ log_print("ipsec_set_network: ID_IPV6_RANGE not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_DN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_DER_ASN1_GN:
+ log_print("ipsec_set_network: ID_DER_ASN1_GN not supported");
+ return -1;
+
+ case IPSEC_ID_KEY_ID:
+ log_print("ipsec_set_network: ID_KEY_ID not supported");
+ return -1;
}

Do you need help?

memcpy (&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF,
---------- cut here -------------

Eric Boudrand

Original Message ----- From: "Cedric Berger" <cedric@berger.to> To: "Eric Boudrand" <eb@sistech.fr> Cc: <tech@openbsd.org> Sent: Tuesday, June 10, 2003 9:45 AM Subject: Re: IPV4_RANGE causes isakmpd crash

> Eric Boudrand wrote:
>
> >Hi,
> >
> >I have found that isakmpd can crash during Phase 2 if the remote host use
> >IPV4_RANGE IDs. I have also found in which source code file this occurs.

Can

> >I send a patch ?
> >
> Of course!
>
> > And to whom ?
> >
> To that list, or to one of the iksampd developer like niklas@openbsd.org
> or ho@openbsd.org
> Cedric

Received on Tue Jun 10 05:53:10 2003

This message: [ Message body ]
Next message: Doug Winter: "Quad Ethernet bug on sparc64"
Previous message: Otto Moerbeek: "PR 3091 is a dup of fixed PR 2664"
Maybe in reply to: Eric Boudrand: "IPV4_RANGE causes isakmpd crash"
Next in thread: Hakan Olsson: "Re: IPV4_RANGE causes isakmpd crash"
Reply: Hakan Olsson: "Re: IPV4_RANGE causes isakmpd crash"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:58 EDT