Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 26 Nov 2005 18:47:38 GMT
From:      Manuel Kasper <mk@neon1.net>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/89599: [fix] security/ipsec-tools: racoon crashes under FreeBSD 4.11
Message-ID:  <200511261847.jAQIlcQi052779@www.freebsd.org>
Resent-Message-ID: <200511261850.jAQIo2BY040802@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         89599
>Category:       ports
>Synopsis:       [fix] security/ipsec-tools: racoon crashes under FreeBSD 4.11
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 26 18:50:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Manuel Kasper
>Release:        FreeBSD 4.11-RELEASE-p13
>Organization:
>Environment:
FreeBSD fb411.neon1.net 4.11-RELEASE-p13 FreeBSD 4.11-RELEASE-p13 #0: Sat Nov 26 11:53:57 CET 2005     root@fb411.neon1.net:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
racoon from ipsec-tools 0.6.3 (installed via ports) doesn't appear to
work properly under FreeBSD 4.11. As soon as the first IKE packet is
received from a client, it'll crash with signal 11. I've traced this to
line 1745 in isakmp.c, where it calls plog() with a format string that
is later passed on to vfprintf(). Apparently, unlike FreeBSD 5/6,
FreeBSD 4.11's vfprintf() doesn't support the 'z' length modifier (which
is used to print size_t safely), so it'll ignore the first conversion
specification and then use sbuf->l for the %s, accessing an invalid
memory location in the process.

The configure script even checks for this ("checking if printf accepts
%z... no"), but only adds -Wno-format to CFLAGS, which obviously doesn't
solve the problem.
>How-To-Repeat:
Install ipsec-tools 0.6.3 via ports on a FreeBSD 4.11 machine. Configure
and start racoon. Establish an IKE session from a remote client. Observe
racoon dump core immediately.
>Fix:
The solution for me was to replace all occurrences of %zu with %lu in src/racoon.
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511261847.jAQIlcQi052779>