ports/89599: [fix] security/ipsec-tools: racoon crashes under FreeBSD 4.11
Manuel Kasper
mk at neon1.net
Sat Nov 26 18:50:27 UTC 2005
>Number: 89599
>Category: ports
>Synopsis: [fix] security/ipsec-tools: racoon crashes under FreeBSD 4.11
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Nov 26 18:50:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Manuel Kasper
>Release: FreeBSD 4.11-RELEASE-p13
>Organization:
>Environment:
FreeBSD fb411.neon1.net 4.11-RELEASE-p13 FreeBSD 4.11-RELEASE-p13 #0: Sat Nov 26 11:53:57 CET 2005 root at fb411.neon1.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
racoon from ipsec-tools 0.6.3 (installed via ports) doesn't appear to
work properly under FreeBSD 4.11. As soon as the first IKE packet is
received from a client, it'll crash with signal 11. I've traced this to
line 1745 in isakmp.c, where it calls plog() with a format string that
is later passed on to vfprintf(). Apparently, unlike FreeBSD 5/6,
FreeBSD 4.11's vfprintf() doesn't support the 'z' length modifier (which
is used to print size_t safely), so it'll ignore the first conversion
specification and then use sbuf->l for the %s, accessing an invalid
memory location in the process.
The configure script even checks for this ("checking if printf accepts
%z... no"), but only adds -Wno-format to CFLAGS, which obviously doesn't
solve the problem.
>How-To-Repeat:
Install ipsec-tools 0.6.3 via ports on a FreeBSD 4.11 machine. Configure
and start racoon. Establish an IKE session from a remote client. Observe
racoon dump core immediately.
>Fix:
The solution for me was to replace all occurrences of %zu with %lu in src/racoon.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list