Original patch from Atis Elsts:

Fix a double memory free and a memory corruption (LIST_REMOVE() on an uninserted node) in some error handling paths.
2008-07-11 08:02:06 +00:00 · 2008-07-11 08:02:06 +00:00 · 75bc4bd6cd
parent 76c8d40dd1
commit 75bc4bd6cd
3 changed files with 12 additions and 19 deletions
--- a/crypto/dist/ipsec-tools/ChangeLog
+++ b/crypto/dist/ipsec-tools/ChangeLog
@ -1,3 +1,9 @@
+2008-07-11  Timo Teras  <timo.teras@iki.fi>
+	Track:259, original patch from Atis Elsts <the.kfx@gmail.com>:
+	* src/racoon/isakmp.c, src/racoon/isakmp_inf.c: fix double memfree
+	  by changing copy_ph1addresses() to not free ph1 on failure
+	  and remove misplaced remph1() calls causing memory corruption
+
 2008-07-09  Timo Teras  <timo.teras@iki.fi>
 	Track:269, from Chong Peng <chongpeng@gmail.com>:
 	* src/racoon/cfparse.y: remove parser initialization causing
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c
@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.35 2008/06/18 07:04:23 mgrooms Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.36 2008/07/11 08:02:06 tteras Exp $	*/

 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */

@ -1041,7 +1041,6 @@ isakmp_ph1begin_i(rmconf, remote, local)
 #endif
 #ifdef ENABLE_HYBRID
 	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
-		remph1(iph1);
 		delph1(iph1);
 		return NULL;
 	}
@ -1058,7 +1057,6 @@ isakmp_ph1begin_i(rmconf, remote, local)

 	/* XXX copy remote address */
 	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
-		remph1(iph1);
 		delph1(iph1);
 		return NULL;
 	}
@ -1160,7 +1158,6 @@ isakmp_ph1begin_r(msg, remote, local, etype)
 #endif
 #ifdef ENABLE_HYBRID
 	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
-		remph1(iph1);
 		delph1(iph1);
 		return -1;
 	}
@ -1182,7 +1179,6 @@ isakmp_ph1begin_r(msg, remote, local, etype)

 	/* copy remote address */
 	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
-		remph1(iph1);
 		delph1(iph1);
 		return -1;
 	}
@ -2936,10 +2932,8 @@ copy_ph1addresses(iph1, rmconf, remote, local)

 	/* address portion must be grabbed from real remote address "remote" */
 	iph1->remote = dupsaddr(remote);
-	if (iph1->remote == NULL) {
-		delph1(iph1);
+	if (iph1->remote == NULL)
 		return -1;
-	}

 	/*
 	 * if remote has no port # (in case of initiator - from ACQUIRE msg)
@ -2959,10 +2953,8 @@ copy_ph1addresses(iph1, rmconf, remote, local)
 		iph1->local = getlocaladdr(iph1->remote);
 	else
 		iph1->local = dupsaddr(local);
-	if (iph1->local == NULL) {
-		delph1(iph1);
+	if (iph1->local == NULL)
 		return -1;
-	}

 	if (extract_port(iph1->local) == 0)
 		set_port(iph1->local, PORT_ISAKMP);
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.29 2008/07/02 14:46:27 vanhu Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.30 2008/07/11 08:02:06 tteras Exp $	*/

 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */

@ -728,10 +728,8 @@ isakmp_info_send_nx(isakmp, remote, local, type, data)
 	iph1->flags = 0;
 	iph1->msgid = 0;	/* XXX */
 #ifdef ENABLE_HYBRID
-	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
-		error = -1;
+	if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
 		goto end;
-	}
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
@ -739,10 +737,8 @@ isakmp_info_send_nx(isakmp, remote, local, type, data)
 #endif

 	/* copy remote address */
-	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
-		error = -1;
+	if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
 		goto end;
-	}

 	tlen = sizeof(*n) + spisiz;
 	if (data)
@ -751,7 +747,6 @@ isakmp_info_send_nx(isakmp, remote, local, type, data)
 	if (payload == NULL) { 
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to get buffer to send.\n");
-		error = -1;
 		goto end;
 	}