[Ipsec-tools-devel] racoon crash in mode_cfg reply parsing

[Ray K. <ata...@gm...>]

Here's the second problem I've seen as a new user. Probably more
serious, as it involves a crash. Again, 0.7.3 on Arch Linux.

If I bring up an ISAKMP-SA, with mode_cfg pull active, and don't
immediately get quick mode started, the following bad behavior ensues.
(If I do start quick mode right away, all appears to be fine.)

No mode_cfg ack is ever sent to the gateway (bug #1?), so the peer
re-sends the mode_cfg reply packet. racoon tries to process this
packet, even though it's a duplicate of the one it just saw(bug #2?).
This makes a mess of the data gathered from mode_cfg (in particular
the data that comes in lists, which will now get duplicates).

During the processing of that second mode_cfg reply, racoon crashes
while trying to append onto the SPLIT_INCLUDE list (bug #3). It
appears to be overrunning a buffer in script_env_append. I'd expect
there's a chance of this happening when processing the first mode_cfg
reply as well, though I've never seen it crash there.

A co-worker of mine used valgrind to find the location of the memory
corruption, and wrote a patch. It's a trivial change, though I haven't
really looked at it to understand why it works. Here it is:

--- ipsec-tools-0.7.3/src/racoon/isakmp_unity.c 2009-09-17
02:17:20.000000000 -0400
+++ ipsec-tools-0.7.3x/src/racoon/isakmp_unity.c        2009-09-17
09:56:51.000000000 -0400
@@ -364,7 +364,7 @@
        int len;

        /* determine string length */
-       len = 0;
+       len = 1;
        netentry = list;
        while (netentry != NULL) {


The output following is from running "racoon -Fd" under gdb. It starts
when racoon begins to process the second mode_cfg reply.

2009-10-06 11:43:29: DEBUG: Configuration exchange type mode config REPLY
2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_ADDRESS, len 4
2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_DNS, len 4
2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_DNS, len 4
2009-10-06 11:43:29: ERROR: Too many addresses given
2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_NBNS, len 4
2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_NBNS, len 4
2009-10-06 11:43:29: ERROR: Too many addresses given
2009-10-06 11:43:29: DEBUG: Attribute UNITY_SPLIT_INCLUDE, len 140
2009-10-06 11:43:29: DEBUG: Attribute UNITY_DEF_DOMAIN, len 12
2009-10-06 11:43:29: DEBUG: Attribute APPLICATION_VERSION, len 85
2009-10-06 11:43:29: WARNING: Ignored attribute APPLICATION_VERSION
2009-10-06 11:43:29: DEBUG: Starting a script.
*** glibc detected ***
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon: malloc():
memory corruption: 0x00000000010326c0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f5002e03db6]
/lib/libc.so.6[0x7f5002e06a2e]
/lib/libc.so.6(__libc_malloc+0x6e)[0x7f5002e087de]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x4077e6]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x44f5c6]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x407f7f]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x451ab7]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x451f8f]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x40b784]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x40ced0]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x4063a7]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x405939]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f5002db19ed]
/home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x4054d9]
======= Memory map: ========
00400000-00482000 r-xp 00000000 08:02 526254
  /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon
00681000-00684000 rw-p 00081000 08:02 526254
  /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon
00684000-00689000 rw-p 00000000 00:00 0
01016000-01054000 rw-p 00000000 00:00 0                                  [heap]
7f4ffc000000-7f4ffc021000 rw-p 00000000 00:00 0
7f4ffc021000-7f5000000000 ---p 00000000 00:00 0
7f500250a000-7f5002520000 r-xp 00000000 08:02 1067
  /usr/lib/libgcc_s.so.1
7f5002520000-7f500271f000 ---p 00016000 08:02 1067
  /usr/lib/libgcc_s.so.1
7f500271f000-7f5002720000 rw-p 00015000 08:02 1067
  /usr/lib/libgcc_s.so.1
7f5002720000-7f5002776000 r-xp 00000000 08:02 4242
  /lib/libncursesw.so.5.7
7f5002776000-7f5002975000 ---p 00056000 08:02 4242
  /lib/libncursesw.so.5.7
7f5002975000-7f500297a000 rw-p 00055000 08:02 4242
  /lib/libncursesw.so.5.7
7f500297a000-7f500298f000 r-xp 00000000 08:02 7009
  /usr/lib/libz.so.1.2.3.3
7f500298f000-7f5002b8e000 ---p 00015000 08:02 7009
  /usr/lib/libz.so.1.2.3.3
7f5002b8e000-7f5002b8f000 rw-p 00014000 08:02 7009
  /usr/lib/libz.so.1.2.3.3
7f5002b8f000-7f5002b91000 r-xp 00000000 08:02 606
  /lib/libdl-2.10.1.so
7f5002b91000-7f5002d91000 ---p 00002000 08:02 606
  /lib/libdl-2.10.1.so
7f5002d91000-7f5002d92000 r--p 00002000 08:02 606
  /lib/libdl-2.10.1.so
7f5002d92000-7f5002d93000 rw-p 00003000 08:02 606
  /lib/libdl-2.10.1.so
7f5002d93000-7f5002edc000 r-xp 00000000 08:02 581
  /lib/libc-2.10.1.so
7f5002edc000-7f50030dc000 ---p 00149000 08:02 581
  /lib/libc-2.10.1.so
7f50030dc000-7f50030e0000 r--p 00149000 08:02 581
  /lib/libc-2.10.1.so
7f50030e0000-7f50030e1000 rw-p 0014d000 08:02 581
  /lib/libc-2.10.1.so
7f50030e1000-7f50030e6000 rw-p 00000000 00:00 0
7f50030e6000-7f50030ee000 r-xp 00000000 08:02 591
  /lib/libcrypt-2.10.1.so
7f50030ee000-7f50032ed000 ---p 00008000 08:02 591
  /lib/libcrypt-2.10.1.so
7f50032ed000-7f50032ee000 r--p 00007000 08:02 591
  /lib/libcrypt-2.10.1.so
7f50032ee000-7f50032ef000 rw-p 00008000 08:02 591
  /lib/libcrypt-2.10.1.so
7f50032ef000-7f500331d000 rw-p 00000000 00:00 0
7f500331d000-7f5003357000 r-xp 00000000 08:02 6630
  /lib/libreadline.so.6.0
7f5003357000-7f5003557000 ---p 0003a000 08:02 6630
  /lib/libreadline.so.6.0
7f5003557000-7f500355f000 rw-p 0003a000 08:02 6630
  /lib/libreadline.so.6.0
7f500355f000-7f5003560000 rw-p 00000000 00:00 0
7f5003560000-7f5003573000 r-xp 00000000 08:02 646
  /lib/libresolv-2.10.1.so
7f5003573000-7f5003772000 ---p 00013000 08:02 646
  /lib/libresolv-2.10.1.so
7f5003772000-7f5003773000 r--p 00012000 08:02 646
  /lib/libresolv-2.10.1.so
7f5003773000-7f5003774000 rw-p 00013000 08:02 646
  /lib/libresolv-2.10.1.so
7f5003774000-7f5003776000 rw-p 00000000 00:00 0
7f5003776000-7f50038dc000 r-xp 00000000 08:02 12421
  /usr/lib/libcrypto.so.0.9.8
7f50038dc000-7f5003adc000 ---p 00166000 08:02 12421
  /usr/lib/libcrypto.so.0.9.8
7f5003adc000-7f5003b01000 rw-p 00166000 08:02 12421
  /usr/lib/libcrypto.so.0.9.8
7f5003b01000-7f5003b04000 rw-p 00000000 00:00 0
7f5003b04000-7f5003b06000 r-xp 00000000 08:02 618
  /lib/libutil-2.10.1.so
7f5003b06000-7f5003d05000 ---p 00002000 08:02 618
  /lib/libutil-2.10.1.so
7f5003d05000-7f5003d06000 r--p 00001000 08:02 618
  /lib/libutil-2.10.1.so
7f5003d06000-7f5003d07000 rw-p 00002000 08:02 618
  /lib/libutil-2.10.1.so
7f5003d07000-7f5003d24000 r-xp 00000000 08:02 595
  /lib/ld-2.10.1.so
7f5003f0d000-7f5003f12000 rw-p 00000000 00:00 0
7f5003f21000-7f5003f23000 rw-p 00000000 00:00 0
7f5003f23000-7f5003f24000 r--p 0001c000 08:02 595
  /lib/ld-2.10.1.so
7f5003f24000-7f5003f25000 rw-p 0001d000 08:02 595
  /lib/ld-2.10.1.so
7fffe3a0c000-7fffe3a21000 rw-p 00000000 00:00 0                          [stack]
7fffe3b33000-7fffe3b34000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007f5002dc4f15 in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00007f5002dc4f15 in raise () from /lib/libc.so.6
#1  0x00007f5002dc6340 in abort () from /lib/libc.so.6
#2  0x00007f5002dfe92d in __libc_message () from /lib/libc.so.6
#3  0x00007f5002e03db6 in malloc_printerr () from /lib/libc.so.6
#4  0x00007f5002e06a2e in _int_malloc () from /lib/libc.so.6
#5  0x00007f5002e087de in malloc () from /lib/libc.so.6
#6  0x00000000004077e6 in script_env_append (envp=0x7fffe3a1f3a8,
envc=0x7fffe3a1f3bc, name=0x468915 "SPLIT_INCLUDE",
    value=0x10324c0 "86.36.32.0/255.255.240.0 172.18.0.0/255.254.0.0
172.20.0.0/255.254.0.0 204.194.24.0/255.255.248.0
128.2.1.0/255.255.255.0 128.2.14.0/255.255.255.0
128.2.15.0/255.255.255.128 128.2.104.0/255.255.255.0 "...) at
isakmp.c:3121
#7  0x000000000044f5c6 in isakmp_cfg_setenv (iph1=0x102ea00,
envp=0x7fffe3a1f3a8, envc=0x7fffe3a1f3bc) at isakmp_cfg.c:2015
#8  0x0000000000407f7f in script_hook (iph1=0x4fe3, script=<value
optimized out>) at isakmp.c:3057
#9  0x0000000000451ab7 in isakmp_cfg_reply (iph1=0x102ea00,
attrpl=<value optimized out>) at isakmp_cfg.c:458
#10 0x0000000000451f8f in isakmp_cfg_r (iph1=0x102ea00, msg=<value
optimized out>) at isakmp_cfg.c:249
#11 0x000000000040b784 in isakmp_main (msg=0x1032330,
remote=0x7fffe3a1f5c0, local=<value optimized out>) at isakmp.c:754
#12 0x000000000040ced0 in isakmp_handler (so_isakmp=<value optimized
out>) at isakmp.c:376
#13 0x00000000004063a7 in session () at session.c:219
#14 0x0000000000405939 in main (ac=2, av=<value optimized out>) at main.c:270
(gdb) up 7
#7  0x000000000044f5c6 in isakmp_cfg_setenv (iph1=0x102ea00,
envp=0x7fffe3a1f3a8, envc=0x7fffe3a1f3bc) at isakmp_cfg.c:2015
2015		if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
(gdb) l
2010		else {
2011			splitlist = addrlist;
2012			addrlist[0] = '\0';
2013		}
2014	
2015		if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
2016			plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
2017			return -1;
2018		}
2019		if (splitlist != addrlist)
(gdb) down 1
#6  0x00000000004077e6 in script_env_append (envp=0x7fffe3a1f3a8,
envc=0x7fffe3a1f3bc, name=0x468915 "SPLIT_INCLUDE",
    value=0x10324c0 "86.36.32.0/255.255.240.0 172.18.0.0/255.254.0.0
172.20.0.0/255.254.0.0 204.194.24.0/255.255.248.0
128.2.1.0/255.255.255.0 128.2.14.0/255.255.255.0
128.2.15.0/255.255.255.128 128.2.104.0/255.255.255.0 "...) at
isakmp.c:3121
3121		envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
(gdb) l
3116	{
3117		char *envitem;
3118		char **newenvp;
3119		int newenvc;
3120	
3121		envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
3122		if (envitem == NULL) {
3123			plog(LLV_ERROR, LOCATION, NULL,
3124			    "Cannot allocate memory: %s\n", strerror(errno));
3125			return -1;
(gdb)