[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: Re: [Ipsec-tools-devel] [Ipsec-tools-core] Potential Vulnerability Discovered in IPsec-Tools
From: Rainer Weikusat <rweikusat () mobileactivedefense ! com>
Date: 2016-10-18 20:45:38
Message-ID: 878ttl4c99.fsf () doppelsaurus ! mobileactivedefense ! com
[Download RAW message or body]
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
[...]
> + current = next;
> + if (current->frag_num == item->frag_num) {
> + plog(LLV_DEBUG, LOCATION, NULL, "duplicate fragment %d\n",
> + item->frag_num);
> +
> + free(item);
> + return 0;
> + }
This leaks memory in both early exits as the data is in a dynamically
allocated buffer[*].
[*] It also calls free instead of racoon_free. This doesn't really
matter because the only difference is that the code could be compiled
with the Boehm-GC and I doubt anyone uses that (plain malloc is also
used in other places).
---
diff -rNu ipsec-tools-0.8.0/src/racoon/isakmp_frag.c patched/src/racoon/isakmp_frag.c
--- ipsec-tools-0.8.0/src/racoon/isakmp_frag.c 2009-04-22 12:24:20.000000000 +0100
+++ patched/src/racoon/isakmp_frag.c 2016-10-18 21:37:12.033038458 +0100
@@ -231,14 +231,35 @@
if (iph1->frag_chain == NULL) {
iph1->frag_chain = item;
} else {
- struct isakmp_frag_item *current;
+ struct isakmp_frag_item *current, *next;
- current = iph1->frag_chain;
- while (current->frag_next) {
- if (current->frag_last)
- last_frag = item->frag_num;
- current = current->frag_next;
- }
+ next = iph1->frag_chain;
+ do {
+ current = next;
+ if (current->frag_num == item->frag_num) {
+ plog(LLV_DEBUG, LOCATION, NULL, "duplicate fragment %d\n",
+ item->frag_num);
+
+ racoon_free(item);
+ vfree(buf);
+
+ return 0;
+ }
+
+ if (current->last_frag) {
+ if (item->last_frag) {
+ plog(LLV_WARNING, LOCATION, NULL, "multiple last fragments received\n");
+
+ racoon_free(item);
+ vfree(buf);
+
+ return -1;
+ }
+
+ last_frag = current->frag_num;
+ }
+ } while ((next = next->next));
+
current->frag_next = item;
}
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic