diff -up ipsec-tools-0.6.5/src/racoon/dnssec.c.leaks ipsec-tools-0.6.5/src/racoon/dnssec.c
--- ipsec-tools-0.6.5/src/racoon/dnssec.c.leaks 2005-08-14 23:42:40.000000000 +0200
+++ ipsec-tools-0.6.5/src/racoon/dnssec.c 2008-08-13 22:30:53.000000000 +0200
@@ -94,7 +94,7 @@ dnssec_getcert(id)
"inpropper ID type passed %s "
"though getcert method is dnssec.\n",
s_ipsecdoi_ident(id_b->type));
- return NULL;
+ goto err;
}
/* check response */
@@ -143,7 +143,10 @@ end:
err:
if (name)
racoon_free(name);
- if (cert)
+ if (cert) {
oakley_delcert(cert);
+ cert = NULL;
+ }
+
goto end;
}
diff -up ipsec-tools-0.6.5/src/racoon/racoonctl.c.leaks ipsec-tools-0.6.5/src/racoon/racoonctl.c
--- ipsec-tools-0.6.5/src/racoon/racoonctl.c.leaks 2005-04-21 11:07:20.000000000 +0200
+++ ipsec-tools-0.6.5/src/racoon/racoonctl.c 2008-08-13 22:30:53.000000000 +0200
@@ -338,7 +338,7 @@ evt_poll(void) {
(void)select(0, NULL, NULL, NULL, &tv);
}
- /* NOTREACHED */
+ vfree(sendbuf);
return 0;
}
@@ -550,7 +550,7 @@ f_deletesa(ac, av)
buf = vmalloc(sizeof(*head) + index->l);
if (buf == NULL)
- return NULL;
+ goto out;
head = (struct admin_com *)buf->v;
head->ac_len = buf->l + index->l;
@@ -560,6 +560,10 @@ f_deletesa(ac, av)
memcpy(buf->v+sizeof(*head), index->v, index->l);
+out:
+ if (index != NULL)
+ vfree(index);
+
return buf;
}
@@ -601,7 +605,7 @@ f_deleteallsadst(ac, av)
buf = vmalloc(sizeof(*head) + index->l);
if (buf == NULL)
- return NULL;
+ goto out;
head = (struct admin_com *)buf->v;
head->ac_len = buf->l + index->l;
@@ -611,6 +615,10 @@ f_deleteallsadst(ac, av)
memcpy(buf->v+sizeof(*head), index->v, index->l);
+out:
+ if (index != NULL)
+ vfree(index);
+
return buf;
}
@@ -701,6 +709,8 @@ f_exchangesa(ac, av)
strcpy(data, key);
}
+ vfree(index);
+
return buf;
}
@@ -974,6 +984,8 @@ get_comindex(str, name, port, pref)
*p = '\0';
}
} else if (*p == '[') {
+ if (*pref == NULL)
+ goto bad;
*p = '\0';
*port = strdup(p + 1);
p = strchr(*pref, ']');
@@ -1433,6 +1445,7 @@ print_cfg(buf, len)
for (i = 0; i < col; i++)
printf("%c", '=');
printf("\n");
+ racoon_free(banner);
}
if (evt_filter & EVTF_CFG_STOP)
diff -up ipsec-tools-0.6.5/src/racoon/isakmp_inf.c.leaks ipsec-tools-0.6.5/src/racoon/isakmp_inf.c
--- ipsec-tools-0.6.5/src/racoon/isakmp_inf.c.leaks 2008-08-13 22:30:53.000000000 +0200
+++ ipsec-tools-0.6.5/src/racoon/isakmp_inf.c 2008-08-13 22:30:53.000000000 +0200
@@ -450,7 +450,7 @@ isakmp_info_send_nx(isakmp, remote, loca
iph1->msgid = 0; /* XXX */
#ifdef ENABLE_HYBRID
if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
- return -1;
+ goto end;
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
@@ -459,7 +459,7 @@ isakmp_info_send_nx(isakmp, remote, loca
/* copy remote address */
if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
- return -1;
+ goto end;
tlen = sizeof(*n) + spisiz;
if (data)
diff -up ipsec-tools-0.6.5/src/racoon/proposal.c.leaks ipsec-tools-0.6.5/src/racoon/proposal.c
--- ipsec-tools-0.6.5/src/racoon/proposal.c.leaks 2008-08-13 22:30:53.000000000 +0200
+++ ipsec-tools-0.6.5/src/racoon/proposal.c 2008-08-13 22:30:53.000000000 +0200
@@ -506,6 +506,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side)
if (newtr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate satrns.\n");
+ racoon_free(newpr);
goto err;
}
newtr->trns_no = tr1->trns_no;
@@ -760,6 +761,7 @@ aproppair2saprop(p0)
if (sizeof(newpr->spi) < p->prop->spi_size) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid spi size %d.\n", p->prop->spi_size);
+ racoon_free(newpr);
goto err;
}
@@ -794,11 +796,14 @@ aproppair2saprop(p0)
if (newtr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate satrns.\n");
+ racoon_free(newpr);
goto err;
}
if (ipsecdoi_t2satrns(t->trns, newpp, newpr, newtr) < 0) {
flushsaprop(newpp);
+ racoon_free(newtr);
+ racoon_free(newpr);
return NULL;
}
@@ -1101,6 +1106,7 @@ set_proposal_from_policy(iph2, sp_main,
if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get algorithms.\n");
+ racoon_free(newpr);
goto err;
}
@@ -1135,6 +1141,7 @@ set_proposal_from_policy(iph2, sp_main,
return 0;
err:
+ flushsaprop(newpp);
return -1;
}
@@ -1165,6 +1172,10 @@ set_proposal_from_proposal(iph2)
for (i = 0; i < MAXPROPPAIRLEN; i++) {
if (pair[i] == NULL)
continue;
+
+ if (pp_peer != NULL)
+ flushsaprop(pp_peer);
+
pp_peer = aproppair2saprop(pair[i]);
if (pp_peer == NULL)
goto end;
@@ -1205,7 +1216,8 @@ set_proposal_from_proposal(iph2)
newpr = newsaproto();
if (newpr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saproto.\n");
+ "failed to allocate saproto.\n");
+ racoon_free(pp0);
goto end;
}
newpr->proto_id = pr->proto_id;
@@ -1220,6 +1232,8 @@ set_proposal_from_proposal(iph2)
if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get algorithms.\n");
+ racoon_free(newpr);
+ racoon_free(pp0);
goto end;
}
@@ -1240,7 +1254,8 @@ end:
if (pp_peer)
flushsaprop(pp_peer);
- free_proppair(pair);
+ if (pair)
+ free_proppair(pair);
return error;
}
diff -up ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c.leaks ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c
--- ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c.leaks 2005-04-21 11:07:20.000000000 +0200
+++ ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c 2008-08-13 22:30:53.000000000 +0200
@@ -94,6 +94,7 @@ mix_b64_pubkey(RSA *key)
if (1 + binbuf[0] + ret != binlen) {
plog(LLV_ERROR, LOCATION, NULL,
"Pubkey generation failed. This is really strange...\n");
+ free(binbuf);
return NULL;
}
diff -up ipsec-tools-0.6.5/src/racoon/isakmp.c.leaks ipsec-tools-0.6.5/src/racoon/isakmp.c
--- ipsec-tools-0.6.5/src/racoon/isakmp.c.leaks 2008-08-13 22:30:53.000000000 +0200
+++ ipsec-tools-0.6.5/src/racoon/isakmp.c 2008-08-13 22:33:08.000000000 +0200
@@ -755,20 +755,23 @@ ph1_main(iph1, msg)
[iph1->side]
[iph1->status])(iph1, msg);
if (error != 0) {
-#if 0
/* XXX
* When an invalid packet is received on phase1, it should
* be selected to process this packet. That is to respond
* with a notify and delete phase 1 handler, OR not to respond
- * and keep phase 1 handler.
+ * and keep phase 1 handler. However, in PHASE1ST_START when
+ * acting as RESPONDER we must not keep phase 1 handler or else
+ * it will stay forever.
*/
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- return -1;
-#else
- /* ignore the error and keep phase 1 handler */
- return 0;
-#endif
+
+ if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "failed to pre-process packet.\n");
+ return -1;
+ } else {
+ /* ignore the error and keep phase 1 handler */
+ return 0;
+ }
}
/* free resend buffer */
@@ -972,8 +975,10 @@ isakmp_ph1begin_i(rmconf, remote, local)
iph1->gssapi_state = NULL;
#endif
#ifdef ENABLE_HYBRID
- if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
+ if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
+ delph1(iph1);
return -1;
+ }
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
@@ -982,8 +987,10 @@ isakmp_ph1begin_i(rmconf, remote, local)
iph1->approval = NULL;
/* XXX copy remote address */
- if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
+ if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
+ delph1(iph1);
return -1;
+ }
(void)insph1(iph1);
@@ -1079,8 +1086,10 @@ isakmp_ph1begin_r(msg, remote, local, et
iph1->gssapi_state = NULL;
#endif
#ifdef ENABLE_HYBRID
- if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
+ if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
+ delph1(iph1);
return -1;
+ }
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
@@ -1098,9 +1107,10 @@ isakmp_ph1begin_r(msg, remote, local, et
#endif
/* copy remote address */
- if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
+ if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
+ delph1(iph1);
return -1;
-
+ }
(void)insph1(iph1);
plog(LLV_DEBUG, LOCATION, NULL, "===\n");
@@ -1727,7 +1737,11 @@ isakmp_send(iph1, sbuf)
must added just before the packet itself. For this we must
allocate a new buffer and release it at the end. */
if (extralen) {
- vbuf = vmalloc (sbuf->l + extralen);
+ if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "vbuf allocation failed\n");
+ return -1;
+ }
*(u_int32_t *)vbuf->v = 0;
memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
sbuf = vbuf;
@@ -1778,30 +1792,44 @@ void
isakmp_ph1resend_stub(p)
void *p;
{
- (void)isakmp_ph1resend((struct ph1handle *)p);
+ struct ph1handle *iph1;
+
+ iph1=(struct ph1handle *)p;
+ if(isakmp_ph1resend(iph1) < 0){
+ if(iph1->scr != NULL){
+ /* Should not happen...
+ */
+ sched_kill(iph1->scr);
+ iph1->scr=NULL;
+ }
+
+ remph1(iph1);
+ delph1(iph1);
+ }
}
int
isakmp_ph1resend(iph1)
struct ph1handle *iph1;
{
- if (iph1->retry_counter < 0) {
+ /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
+ */
+ if (iph1->retry_counter <= 0) {
plog(LLV_ERROR, LOCATION, NULL,
"phase1 negotiation failed due to time up. %s\n",
isakmp_pindex(&iph1->index, iph1->msgid));
EVT_PUSH(iph1->local, iph1->remote,
EVTT_PEER_NO_RESPONSE, NULL);
- remph1(iph1);
- delph1(iph1);
return -1;
}
if (isakmp_send(iph1, iph1->sendbuf) < 0){
- iph1->retry_counter--;
-
- iph1->scr = sched_new(iph1->rmconf->retry_interval,
- isakmp_ph1resend_stub, iph1);
+ plog(LLV_ERROR, LOCATION, NULL,
+ "phase1 negotiation failed due to send error. %s\n",
+ isakmp_pindex(&iph1->index, iph1->msgid));
+ EVT_PUSH(iph1->local, iph1->remote,
+ EVTT_PEER_NO_RESPONSE, NULL);
return -1;
}
@@ -1822,27 +1850,47 @@ void
isakmp_ph2resend_stub(p)
void *p;
{
+ struct ph2handle *iph2;
+
+ iph2=(struct ph2handle *)p;
- (void)isakmp_ph2resend((struct ph2handle *)p);
+ if(isakmp_ph2resend(iph2) < 0){
+ unbindph12(iph2);
+ remph2(iph2);
+ delph2(iph2);
+ }
}
int
isakmp_ph2resend(iph2)
struct ph2handle *iph2;
{
- if (iph2->retry_counter < 0) {
+ /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
+ */
+ if (iph2->ph1->status == PHASE1ST_EXPIRED){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "phase2 negotiation failed due to phase1 expired. %s\n",
+ isakmp_pindex(&iph2->ph1->index, iph2->msgid));
+ return -1;
+ }
+
+ if (iph2->retry_counter <= 0) {
plog(LLV_ERROR, LOCATION, NULL,
"phase2 negotiation failed due to time up. %s\n",
isakmp_pindex(&iph2->ph1->index, iph2->msgid));
EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
return -1;
}
- if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
+ if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "phase2 negotiation failed due to send error. %s\n",
+ isakmp_pindex(&iph2->ph1->index, iph2->msgid));
+ EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
+
return -1;
+ }
plog(LLV_DEBUG, LOCATION, NULL,
"resend phase2 packet %s\n",
@@ -2709,10 +2757,8 @@ copy_ph1addresses(iph1, rmconf, remote,
/* address portion must be grabbed from real remote address "remote" */
iph1->remote = dupsaddr(remote);
- if (iph1->remote == NULL) {
- delph1(iph1);
+ if (iph1->remote == NULL)
return -1;
- }
/*
* if remote has no port # (in case of initiator - from ACQUIRE msg)
@@ -2753,7 +2799,6 @@ copy_ph1addresses(iph1, rmconf, remote,
else
iph1->local = dupsaddr(local);
if (iph1->local == NULL) {
- delph1(iph1);
return -1;
}
port = NULL;
@@ -2781,7 +2826,6 @@ copy_ph1addresses(iph1, rmconf, remote,
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n", iph1->local->sa_family);
- delph1(iph1);
return -1;
}
#ifdef ENABLE_NATT
@@ -2906,6 +2950,8 @@ isakmp_plist_set_all (struct payload_lis
return buf;
end:
+ if (buf != NULL)
+ vfree(buf);
return NULL;
}
@@ -3021,6 +3067,7 @@ script_env_append(envp, envc, name, valu
if (newenvp == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot allocate memory: %s\n", strerror(errno));
+ racoon_free(envitem);
return -1;
}
diff -up ipsec-tools-0.6.5/src/racoon/algorithm.c.leaks ipsec-tools-0.6.5/src/racoon/algorithm.c
--- ipsec-tools-0.6.5/src/racoon/algorithm.c.leaks 2005-06-29 00:38:02.000000000 +0200
+++ ipsec-tools-0.6.5/src/racoon/algorithm.c 2008-08-13 22:30:53.000000000 +0200
@@ -594,7 +594,7 @@ alg_ipsec_hmacdef(doi)
for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++)
if (doi == ipsec_hmacdef[i].doi) {
plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
- oakley_hmacdef[i].name);
+ ipsec_hmacdef[i].name);
return &ipsec_hmacdef[i];
}
return NULL;
--- ipsec-tools-0.6.5/src/racoon/ipsec_doi.c.cve-2008-3651_3652 2008-08-28 17:51:37.000000000 -0400
+++ ipsec-tools-0.6.5/src/racoon/ipsec_doi.c 2008-08-28 17:55:13.000000000 -0400
@@ -274,10 +274,12 @@ found:
plog(LLV_WARNING, LOCATION, NULL,
"invalid DH parameter found, use default.\n");
oakley_dhgrp_free(sa->dhgrp);
+ sa->dhgrp=NULL;
}
if (oakley_setdhgroup(sa->dh_group, &sa->dhgrp) == -1) {
sa->dhgrp = NULL;
+ racoon_free(sa);
return NULL;
}
@@ -435,8 +437,10 @@ get_ph1approvalx(p, proposal, sap, check
}
found:
- if (tsap->dhgrp != NULL)
+ if (tsap->dhgrp != NULL){
oakley_dhgrp_free(tsap->dhgrp);
+ tsap->dhgrp = NULL;
+ }
if ((s = dupisakmpsa(s)) != NULL) {
switch(check_level) {
@@ -531,8 +535,10 @@ print_ph1mismatched(p, proposal)
}
}
- if (sa.dhgrp != NULL)
+ if (sa.dhgrp != NULL){
oakley_dhgrp_free(sa.dhgrp);
+ sa.dhgrp=NULL;
+ }
}
/*
@@ -740,7 +746,8 @@ t2isakmpsa(trns, sa)
#ifdef HAVE_GSSAPI
case OAKLEY_ATTR_GSS_ID:
{
- iconv_t cd;
+ int error = -1;
+ iconv_t cd = (iconv_t) -1;
size_t srcleft, dstleft, rv;
__iconv_const char *src;
char *dst;
@@ -753,12 +760,17 @@ t2isakmpsa(trns, sa)
* compatible with this behavior.
*/
if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) {
- sa->gssid = vmalloc(len);
+ if ((sa->gssid = vmalloc(len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate memory\n");
+ goto out;
+ }
memcpy(sa->gssid->v, d + 1, len);
plog(LLV_DEBUG, LOCATION, NULL,
"received old-style gss id '%.*s' (len %d)\n",
(int) sa->gssid->l, sa->gssid->v, (int) sa->gssid->l);
- break;
+ error = 0;
+ goto out;
}
/*
@@ -775,10 +787,14 @@ t2isakmpsa(trns, sa)
"unable to initialize utf-16le -> latin1 "
"conversion descriptor: %s\n",
strerror(errno));
- break;
+ goto out;
}
- sa->gssid = vmalloc(len / 2);
+ if ((sa->gssid = vmalloc(len / 2)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate memory\n");
+ goto out;
+ }
src = (__iconv_const char *)(d + 1);
srcleft = len;
@@ -800,12 +816,8 @@ t2isakmpsa(trns, sa)
"be represented in latin1\n",
rv, rv == 1 ? "" : "s");
}
- (void) iconv_close(cd);
- vfree(sa->gssid);
- sa->gssid = NULL;
- break;
+ goto out;
}
- (void) iconv_close(cd);
/* XXX dstleft should always be 0; assert it? */
sa->gssid->l = (len / 2) - dstleft;
@@ -813,6 +825,15 @@ t2isakmpsa(trns, sa)
plog(LLV_DEBUG, LOCATION, NULL,
"received gss id '%.*s' (len %d)\n",
(int) sa->gssid->l, sa->gssid->v, (int) sa->gssid->l);
+ error = 0;
+out:
+ if (cd != (iconv_t)-1)
+ (void)iconv_close(cd);
+
+ if ((error != 0) && (sa->gssid != NULL)) {
+ vfree(sa->gssid);
+ sa->gssid = NULL;
+ }
break;
}
#endif /* HAVE_GSSAPI */
@@ -1037,10 +1058,10 @@ cmp_aproppair_i(a, b)
return -1;
}
- if (p->prop->proto_id != r->prop->proto_id) {
+ if (p->prop->spi_size != r->prop->spi_size) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid spi size: %d.\n",
- p->prop->proto_id);
+ p->prop->spi_size);
return -1;
}
@@ -1305,7 +1326,7 @@ get_proppair(sa, mode)
pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, tlen);
if (pbuf == NULL)
- return NULL;
+ goto bad;
for (pa = (struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
@@ -1315,7 +1336,7 @@ get_proppair(sa, mode)
plog(LLV_ERROR, LOCATION, NULL,
"Invalid payload type=%u\n", pa->type);
vfree(pbuf);
- return NULL;
+ goto bad;
}
prop = (struct isakmp_pl_p *)pa->ptr;
@@ -1328,7 +1349,7 @@ get_proppair(sa, mode)
plog(LLV_ERROR, LOCATION, NULL,
"invalid proposal with length %d\n", proplen);
vfree(pbuf);
- return NULL;
+ goto bad;
}
/* check Protocol ID */
@@ -1348,7 +1369,7 @@ get_proppair(sa, mode)
/* get transform */
if (get_transform(prop, pair, &num_p) < 0) {
vfree(pbuf);
- return NULL;
+ goto bad;
}
}
vfree(pbuf);
@@ -1410,10 +1431,14 @@ get_proppair(sa, mode)
if (num_p <= 0) {
plog(LLV_ERROR, LOCATION, NULL,
"no Proposal found.\n");
- return NULL;
+ goto bad;
}
return pair;
+bad:
+ if (pair != NULL)
+ racoon_free(pair);
+ return NULL;
}
/*
@@ -1659,7 +1684,7 @@ get_sabysaprop(pp0, sa0)
vchar_t *sa0;
{
struct prop_pair **pair;
- vchar_t *newsa;
+ vchar_t *newsa = NULL;
int newtlen;
u_int8_t *np_p = NULL;
struct prop_pair *p = NULL;
@@ -1668,6 +1693,7 @@ get_sabysaprop(pp0, sa0)
struct satrns *tr;
int prophlen, trnslen;
caddr_t bp;
+ int error = -1;
/* get proposal pair */
pair = get_proppair(sa0, IPSECDOI_TYPE_PH2);
@@ -1678,7 +1704,7 @@ get_sabysaprop(pp0, sa0)
for (pp = pp0; pp; pp = pp->next) {
if (pair[pp->prop_no] == NULL)
- return NULL;
+ goto out;
for (pr = pp->head; pr; pr = pr->next) {
newtlen += (sizeof(struct isakmp_pl_p)
@@ -1690,7 +1716,7 @@ get_sabysaprop(pp0, sa0)
break;
}
if (p == NULL)
- return NULL;
+ goto out;
newtlen += ntohs(p->trns->h.len);
}
@@ -1700,7 +1726,7 @@ get_sabysaprop(pp0, sa0)
newsa = vmalloc(newtlen);
if (newsa == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n");
- return NULL;
+ goto out;
}
bp = newsa->v;
@@ -1721,7 +1747,7 @@ get_sabysaprop(pp0, sa0)
break;
}
if (p == NULL)
- return NULL;
+ goto out;
trnslen = ntohs(p->trns->h.len);
@@ -1746,6 +1772,18 @@ get_sabysaprop(pp0, sa0)
}
}
+ error = 0;
+out:
+ if (pair != NULL)
+ racoon_free(pair);
+
+ if (error != 0) {
+ if (newsa != NULL) {
+ vfree(newsa);
+ newsa = NULL;
+ }
+ }
+
return newsa;
}
@@ -3297,7 +3335,7 @@ ipsecdoi_checkid1(iph1)
}
/* if phase 1 ID payload conformed RFC2407 4.6.2. */
- if (id_b->type == IPSECDOI_ID_IPV4_ADDR &&
+ if (id_b->type == IPSECDOI_ID_IPV4_ADDR ||
id_b->type == IPSECDOI_ID_IPV6_ADDR) {
if (id_b->proto_id == 0 && ntohs(id_b->port) != 0) {
@@ -3627,9 +3665,12 @@ set_identifier(vpp, type, value)
}
new = vmalloc(sysdep_sa_len(sa));
- if (new == NULL)
+ if (new == NULL) {
+ racoon_free(sa);
return -1;
+ }
memcpy(new->v, sa, new->l);
+ racoon_free(sa);
break;
}
case IDTYPE_ASN1DN:
@@ -3922,9 +3963,9 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixl
+ alen;
for (; *p == 0xff; p++) {
+ plen += 8;
if (plen >= max)
break;
- plen += 8;
}
if (plen < max) {
--- ipsec-tools-0.6.6/src/racoon/gssapi.c.cve-2008-3651_3652 2008-08-28 18:03:02.000000000 -0400
+++ ipsec-tools-0.6.6/src/racoon/gssapi.c 2008-08-28 18:12:04.000000000 -0400
@@ -152,7 +152,6 @@ static int
gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
{
char name[NI_MAXHOST];
- char *buf = NULL;
struct sockaddr *sa;
gss_buffer_desc name_token;
OM_uint32 min_stat, maj_stat;
@@ -162,8 +161,8 @@ gssapi_get_default_name(struct ph1handle
if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
return -1;
- name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name);
- name_token.value = buf;
+ name_token.length = asprintf((void *)&name_token.value,
+ "%s@%s", GSSAPI_DEF_NAME, name);
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NT_HOSTBASED_SERVICE, service);
if (GSS_ERROR(maj_stat)) {
