Fri Jun 19 07:32:52 2009 UTC ()
Backport S.P.Zeidler's fix to IPv6 address related stack smashing in
ipsecdoi_id2str() from CVS HEAD.


(tteras)
diff -r1.23.4.9 -r1.23.4.10 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs diff -r1.23.4.9 -r1.23.4.10 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c (expand / switch to unified diff)

--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c 2008/06/18 07:30:19 1.23.4.9
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c 2009/06/19 07:32:52 1.23.4.10
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ipsec_doi.c,v 1.23.4.9 2008/06/18 07:30:19 mgrooms Exp $ */ 1/* $NetBSD: ipsec_doi.c,v 1.23.4.10 2009/06/19 07:32:52 tteras Exp $ */
2 2
3/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */ 3/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
4 4
5/* 5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved. 7 * All rights reserved.
8 *  8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
@@ -4371,64 +4371,78 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixl @@ -4371,64 +4371,78 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixl
4371/* 4371/*
4372 * make printable string from ID payload except of general header. 4372 * make printable string from ID payload except of general header.
4373 */ 4373 */
4374char * 4374char *
4375ipsecdoi_id2str(id) 4375ipsecdoi_id2str(id)
4376 const vchar_t *id; 4376 const vchar_t *id;
4377{ 4377{
4378#define BUFLEN 512 4378#define BUFLEN 512
4379 char * ret = NULL; 4379 char * ret = NULL;
4380 int len = 0; 4380 int len = 0;
4381 char *dat; 4381 char *dat;
4382 static char buf[BUFLEN]; 4382 static char buf[BUFLEN];
4383 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v; 4383 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;
4384 struct sockaddr saddr; 4384 struct sockaddr_storage saddr_storage;
 4385 struct sockaddr *saddr;
 4386 struct sockaddr_in *saddr_in;
 4387 struct sockaddr_in6 *saddr_in6;
4385 u_int plen = 0; 4388 u_int plen = 0;
4386 4389
 4390 saddr = (struct sockaddr *)&saddr_storage;
 4391 saddr_in = (struct sockaddr_in *)&saddr_storage;
 4392 saddr_in6 = (struct sockaddr_in6 *)&saddr_storage;
 4393
 4394
4387 switch (id_b->type) { 4395 switch (id_b->type) {
4388 case IPSECDOI_ID_IPV4_ADDR: 4396 case IPSECDOI_ID_IPV4_ADDR:
4389 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 4397 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4390 case IPSECDOI_ID_IPV4_ADDR_RANGE: 4398 case IPSECDOI_ID_IPV4_ADDR_RANGE:
4391 4399
4392#ifndef __linux__ 4400#ifndef __linux__
4393 saddr.sa_len = sizeof(struct sockaddr_in); 4401 saddr->sa_len = sizeof(struct sockaddr_in);
4394#endif 4402#endif
4395 saddr.sa_family = AF_INET; 4403 saddr->sa_family = AF_INET;
4396 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; 4404
4397 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, 4405 saddr_in->sin_port = IPSEC_PORT_ANY;
 4406 memcpy(&saddr_in->sin_addr,
4398 id->v + sizeof(*id_b), sizeof(struct in_addr)); 4407 id->v + sizeof(*id_b), sizeof(struct in_addr));
4399 break; 4408 break;
4400#ifdef INET6 4409#ifdef INET6
4401 case IPSECDOI_ID_IPV6_ADDR: 4410 case IPSECDOI_ID_IPV6_ADDR:
4402 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 4411 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4403 case IPSECDOI_ID_IPV6_ADDR_RANGE: 4412 case IPSECDOI_ID_IPV6_ADDR_RANGE:
4404 4413
4405#ifndef __linux__ 4414#ifndef __linux__
4406 saddr.sa_len = sizeof(struct sockaddr_in6); 4415 saddr->sa_len = sizeof(struct sockaddr_in6);
4407#endif 4416#endif
4408 saddr.sa_family = AF_INET6; 4417 saddr->sa_family = AF_INET6;
4409 ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY; 4418
4410 memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr, 4419 saddr_in6->sin6_port = IPSEC_PORT_ANY;
 4420 memcpy(&saddr_in6->sin6_addr,
4411 id->v + sizeof(*id_b), sizeof(struct in6_addr)); 4421 id->v + sizeof(*id_b), sizeof(struct in6_addr));
 4422 saddr_in6->sin6_scope_id =
 4423 (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
 4424 ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
 4425 : 0);
4412 break; 4426 break;
4413#endif 4427#endif
4414 } 4428 }
4415 4429
4416 switch (id_b->type) { 4430 switch (id_b->type) {
4417 case IPSECDOI_ID_IPV4_ADDR: 4431 case IPSECDOI_ID_IPV4_ADDR:
4418#ifdef INET6 4432#ifdef INET6
4419 case IPSECDOI_ID_IPV6_ADDR: 4433 case IPSECDOI_ID_IPV6_ADDR:
4420#endif 4434#endif
4421 len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr)); 4435 len = snprintf( buf, BUFLEN, "%s", saddrwop2str(saddr));
4422 break; 4436 break;
4423 4437
4424 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 4438 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4425#ifdef INET6 4439#ifdef INET6
4426 case IPSECDOI_ID_IPV6_ADDR_SUBNET: 4440 case IPSECDOI_ID_IPV6_ADDR_SUBNET:
4427#endif 4441#endif
4428 { 4442 {
4429 u_char *p; 4443 u_char *p;
4430 u_int max; 4444 u_int max;
4431 int alen = sizeof(struct in_addr); 4445 int alen = sizeof(struct in_addr);
4432 4446
4433 switch (id_b->type) { 4447 switch (id_b->type) {
4434 case IPSECDOI_ID_IPV4_ADDR_SUBNET: 4448 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
@@ -4464,62 +4478,66 @@ ipsecdoi_id2str(id) @@ -4464,62 +4478,66 @@ ipsecdoi_id2str(id)
4464 if (plen < max) { 4478 if (plen < max) {
4465 u_int l = 0; 4479 u_int l = 0;
4466 u_char b = ~(*p); 4480 u_char b = ~(*p);
4467 4481
4468 while (b) { 4482 while (b) {
4469 b >>= 1; 4483 b >>= 1;
4470 l++; 4484 l++;
4471 } 4485 }
4472 4486
4473 l = 8 - l; 4487 l = 8 - l;
4474 plen += l; 4488 plen += l;
4475 } 4489 }
4476 4490
4477 len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr), plen); 4491 len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(saddr), plen);
4478 } 4492 }
4479 break; 4493 break;
4480 4494
4481 case IPSECDOI_ID_IPV4_ADDR_RANGE: 4495 case IPSECDOI_ID_IPV4_ADDR_RANGE:
4482 4496
4483 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr)); 4497 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
4484 4498
4485#ifndef __linux__ 4499#ifndef __linux__
4486 saddr.sa_len = sizeof(struct sockaddr_in); 4500 saddr->sa_len = sizeof(struct sockaddr_in);
4487#endif 4501#endif
4488 saddr.sa_family = AF_INET; 4502 saddr->sa_family = AF_INET;
4489 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; 4503 saddr_in->sin_port = IPSEC_PORT_ANY;
4490 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, 4504 memcpy(&saddr_in->sin_addr,
4491 id->v + sizeof(*id_b) + sizeof(struct in_addr), 4505 id->v + sizeof(*id_b) + sizeof(struct in_addr),
4492 sizeof(struct in_addr)); 4506 sizeof(struct in_addr));
4493 4507
4494 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr)); 4508 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
4495 4509
4496 break; 4510 break;
4497 4511
4498#ifdef INET6 4512#ifdef INET6
4499 case IPSECDOI_ID_IPV6_ADDR_RANGE: 4513 case IPSECDOI_ID_IPV6_ADDR_RANGE:
4500 4514
4501 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr)); 4515 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
4502 4516
4503#ifndef __linux__ 4517#ifndef __linux__
4504 saddr.sa_len = sizeof(struct sockaddr_in6); 4518 saddr->sa_len = sizeof(struct sockaddr_in6);
4505#endif 4519#endif
4506 saddr.sa_family = AF_INET6; 4520 saddr->sa_family = AF_INET6;
4507 ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY; 4521 saddr_in6->sin6_port = IPSEC_PORT_ANY;
4508 memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr, 4522 memcpy(&saddr_in6->sin6_addr,
4509 id->v + sizeof(*id_b) + sizeof(struct in6_addr), 4523 id->v + sizeof(*id_b) + sizeof(struct in6_addr),
4510 sizeof(struct in6_addr)); 4524 sizeof(struct in6_addr));
 4525 saddr_in6->sin6_scope_id =
 4526 (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
 4527 ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
 4528 : 0);
4511 4529
4512 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr)); 4530 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
4513 4531
4514 break; 4532 break;
4515#endif 4533#endif
4516 4534
4517 case IPSECDOI_ID_FQDN: 4535 case IPSECDOI_ID_FQDN:
4518 case IPSECDOI_ID_USER_FQDN: 4536 case IPSECDOI_ID_USER_FQDN:
4519 len = id->l - sizeof(*id_b); 4537 len = id->l - sizeof(*id_b);
4520 if (len > BUFLEN) 4538 if (len > BUFLEN)
4521 len = BUFLEN; 4539 len = BUFLEN;
4522 memcpy(buf, id->v + sizeof(*id_b), len); 4540 memcpy(buf, id->v + sizeof(*id_b), len);
4523 break; 4541 break;
4524 4542
4525 case IPSECDOI_ID_DER_ASN1_DN: 4543 case IPSECDOI_ID_DER_ASN1_DN: