[talk] IPSec vulnerability?

Christos Zoulas christos at zoulas.com
Tue May 19 11:17:33 EDT 2015


On May 19, 11:13am, christos at zoulas.com (Christos Zoulas) wrote:
-- Subject: Re: [talk] IPSec vulnerability?

| And it doesn't :-( I kept trying and I was able to reproduce the
| coredump using the provided server configuration file. I.e. some
| configurations are vulnerable and others are not. I was not able
| to make the server coredump using the other scripts. Here's the
| patch I am planning to commit...

The check should be done earlier to prevent a memory leak:

Index: gssapi.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/gssapi.c,v
retrieving revision 1.4
retrieving revision 1.6
diff -u -r1.4 -r1.6
--- gssapi.c    9 Sep 2006 16:22:09 -0000       1.4
+++ gssapi.c    19 May 2015 15:16:00 -0000      1.6
@@ -192,6 +192,11 @@
        gss_name_t princ, canon_princ;
        OM_uint32 maj_stat, min_stat;
 
+       if (iph1->rmconf == NULL) {
+               plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+               return -1;
+       }
+
        gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
        if (gps == NULL) {
                plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");




More information about the talk mailing list