diff -up ipsec-tools-0.6.5/src/racoon/dnssec.c.leaks ipsec-tools-0.6.5/src/racoon/dnssec.c --- ipsec-tools-0.6.5/src/racoon/dnssec.c.leaks 2005-08-14 23:42:40.000000000 +0200 +++ ipsec-tools-0.6.5/src/racoon/dnssec.c 2008-08-13 22:30:53.000000000 +0200 @@ -94,7 +94,7 @@ dnssec_getcert(id) "inpropper ID type passed %s " "though getcert method is dnssec.\n", s_ipsecdoi_ident(id_b->type)); - return NULL; + goto err; } /* check response */ @@ -143,7 +143,10 @@ end: err: if (name) racoon_free(name); - if (cert) + if (cert) { oakley_delcert(cert); + cert = NULL; + } + goto end; } diff -up ipsec-tools-0.6.5/src/racoon/racoonctl.c.leaks ipsec-tools-0.6.5/src/racoon/racoonctl.c --- ipsec-tools-0.6.5/src/racoon/racoonctl.c.leaks 2005-04-21 11:07:20.000000000 +0200 +++ ipsec-tools-0.6.5/src/racoon/racoonctl.c 2008-08-13 22:30:53.000000000 +0200 @@ -338,7 +338,7 @@ evt_poll(void) { (void)select(0, NULL, NULL, NULL, &tv); } - /* NOTREACHED */ + vfree(sendbuf); return 0; } @@ -550,7 +550,7 @@ f_deletesa(ac, av) buf = vmalloc(sizeof(*head) + index->l); if (buf == NULL) - return NULL; + goto out; head = (struct admin_com *)buf->v; head->ac_len = buf->l + index->l; @@ -560,6 +560,10 @@ f_deletesa(ac, av) memcpy(buf->v+sizeof(*head), index->v, index->l); +out: + if (index != NULL) + vfree(index); + return buf; } @@ -601,7 +605,7 @@ f_deleteallsadst(ac, av) buf = vmalloc(sizeof(*head) + index->l); if (buf == NULL) - return NULL; + goto out; head = (struct admin_com *)buf->v; head->ac_len = buf->l + index->l; @@ -611,6 +615,10 @@ f_deleteallsadst(ac, av) memcpy(buf->v+sizeof(*head), index->v, index->l); +out: + if (index != NULL) + vfree(index); + return buf; } @@ -701,6 +709,8 @@ f_exchangesa(ac, av) strcpy(data, key); } + vfree(index); + return buf; } @@ -974,6 +984,8 @@ get_comindex(str, name, port, pref) *p = '\0'; } } else if (*p == '[') { + if (*pref == NULL) + goto bad; *p = '\0'; *port = strdup(p + 1); p = strchr(*pref, ']'); @@ -1433,6 +1445,7 @@ print_cfg(buf, len) for (i = 0; i < col; i++) printf("%c", '='); printf("\n"); + racoon_free(banner); } if (evt_filter & EVTF_CFG_STOP) diff -up ipsec-tools-0.6.5/src/racoon/isakmp_inf.c.leaks ipsec-tools-0.6.5/src/racoon/isakmp_inf.c --- ipsec-tools-0.6.5/src/racoon/isakmp_inf.c.leaks 2008-08-13 22:30:53.000000000 +0200 +++ ipsec-tools-0.6.5/src/racoon/isakmp_inf.c 2008-08-13 22:30:53.000000000 +0200 @@ -450,7 +450,7 @@ isakmp_info_send_nx(isakmp, remote, loca iph1->msgid = 0; /* XXX */ #ifdef ENABLE_HYBRID if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) - return -1; + goto end; #endif #ifdef ENABLE_FRAG iph1->frag = 0; @@ -459,7 +459,7 @@ isakmp_info_send_nx(isakmp, remote, loca /* copy remote address */ if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) - return -1; + goto end; tlen = sizeof(*n) + spisiz; if (data) diff -up ipsec-tools-0.6.5/src/racoon/proposal.c.leaks ipsec-tools-0.6.5/src/racoon/proposal.c --- ipsec-tools-0.6.5/src/racoon/proposal.c.leaks 2008-08-13 22:30:53.000000000 +0200 +++ ipsec-tools-0.6.5/src/racoon/proposal.c 2008-08-13 22:30:53.000000000 +0200 @@ -506,6 +506,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) if (newtr == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate satrns.\n"); + racoon_free(newpr); goto err; } newtr->trns_no = tr1->trns_no; @@ -760,6 +761,7 @@ aproppair2saprop(p0) if (sizeof(newpr->spi) < p->prop->spi_size) { plog(LLV_ERROR, LOCATION, NULL, "invalid spi size %d.\n", p->prop->spi_size); + racoon_free(newpr); goto err; } @@ -794,11 +796,14 @@ aproppair2saprop(p0) if (newtr == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to allocate satrns.\n"); + racoon_free(newpr); goto err; } if (ipsecdoi_t2satrns(t->trns, newpp, newpr, newtr) < 0) { flushsaprop(newpp); + racoon_free(newtr); + racoon_free(newpr); return NULL; } @@ -1101,6 +1106,7 @@ set_proposal_from_policy(iph2, sp_main, if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to get algorithms.\n"); + racoon_free(newpr); goto err; } @@ -1135,6 +1141,7 @@ set_proposal_from_policy(iph2, sp_main, return 0; err: + flushsaprop(newpp); return -1; } @@ -1165,6 +1172,10 @@ set_proposal_from_proposal(iph2) for (i = 0; i < MAXPROPPAIRLEN; i++) { if (pair[i] == NULL) continue; + + if (pp_peer != NULL) + flushsaprop(pp_peer); + pp_peer = aproppair2saprop(pair[i]); if (pp_peer == NULL) goto end; @@ -1205,7 +1216,8 @@ set_proposal_from_proposal(iph2) newpr = newsaproto(); if (newpr == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saproto.\n"); + "failed to allocate saproto.\n"); + racoon_free(pp0); goto end; } newpr->proto_id = pr->proto_id; @@ -1220,6 +1232,8 @@ set_proposal_from_proposal(iph2) if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to get algorithms.\n"); + racoon_free(newpr); + racoon_free(pp0); goto end; } @@ -1240,7 +1254,8 @@ end: if (pp_peer) flushsaprop(pp_peer); - free_proppair(pair); + if (pair) + free_proppair(pair); return error; } diff -up ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c.leaks ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c --- ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c.leaks 2005-04-21 11:07:20.000000000 +0200 +++ ipsec-tools-0.6.5/src/racoon/plainrsa-gen.c 2008-08-13 22:30:53.000000000 +0200 @@ -94,6 +94,7 @@ mix_b64_pubkey(RSA *key) if (1 + binbuf[0] + ret != binlen) { plog(LLV_ERROR, LOCATION, NULL, "Pubkey generation failed. This is really strange...\n"); + free(binbuf); return NULL; } diff -up ipsec-tools-0.6.5/src/racoon/isakmp.c.leaks ipsec-tools-0.6.5/src/racoon/isakmp.c --- ipsec-tools-0.6.5/src/racoon/isakmp.c.leaks 2008-08-13 22:30:53.000000000 +0200 +++ ipsec-tools-0.6.5/src/racoon/isakmp.c 2008-08-13 22:33:08.000000000 +0200 @@ -755,20 +755,23 @@ ph1_main(iph1, msg) [iph1->side] [iph1->status])(iph1, msg); if (error != 0) { -#if 0 /* XXX * When an invalid packet is received on phase1, it should * be selected to process this packet. That is to respond * with a notify and delete phase 1 handler, OR not to respond - * and keep phase 1 handler. + * and keep phase 1 handler. However, in PHASE1ST_START when + * acting as RESPONDER we must not keep phase 1 handler or else + * it will stay forever. */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to pre-process packet.\n"); - return -1; -#else - /* ignore the error and keep phase 1 handler */ - return 0; -#endif + + if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) { + plog(LLV_ERROR, LOCATION, iph1->remote, + "failed to pre-process packet.\n"); + return -1; + } else { + /* ignore the error and keep phase 1 handler */ + return 0; + } } /* free resend buffer */ @@ -972,8 +975,10 @@ isakmp_ph1begin_i(rmconf, remote, local) iph1->gssapi_state = NULL; #endif #ifdef ENABLE_HYBRID - if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) + if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { + delph1(iph1); return -1; + } #endif #ifdef ENABLE_FRAG iph1->frag = 0; @@ -982,8 +987,10 @@ isakmp_ph1begin_i(rmconf, remote, local) iph1->approval = NULL; /* XXX copy remote address */ - if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) + if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { + delph1(iph1); return -1; + } (void)insph1(iph1); @@ -1079,8 +1086,10 @@ isakmp_ph1begin_r(msg, remote, local, et iph1->gssapi_state = NULL; #endif #ifdef ENABLE_HYBRID - if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) + if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { + delph1(iph1); return -1; + } #endif #ifdef ENABLE_FRAG iph1->frag = 0; @@ -1098,9 +1107,10 @@ isakmp_ph1begin_r(msg, remote, local, et #endif /* copy remote address */ - if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) + if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { + delph1(iph1); return -1; - + } (void)insph1(iph1); plog(LLV_DEBUG, LOCATION, NULL, "===\n"); @@ -1727,7 +1737,11 @@ isakmp_send(iph1, sbuf) must added just before the packet itself. For this we must allocate a new buffer and release it at the end. */ if (extralen) { - vbuf = vmalloc (sbuf->l + extralen); + if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "vbuf allocation failed\n"); + return -1; + } *(u_int32_t *)vbuf->v = 0; memcpy (vbuf->v + extralen, sbuf->v, sbuf->l); sbuf = vbuf; @@ -1778,30 +1792,44 @@ void isakmp_ph1resend_stub(p) void *p; { - (void)isakmp_ph1resend((struct ph1handle *)p); + struct ph1handle *iph1; + + iph1=(struct ph1handle *)p; + if(isakmp_ph1resend(iph1) < 0){ + if(iph1->scr != NULL){ + /* Should not happen... + */ + sched_kill(iph1->scr); + iph1->scr=NULL; + } + + remph1(iph1); + delph1(iph1); + } } int isakmp_ph1resend(iph1) struct ph1handle *iph1; { - if (iph1->retry_counter < 0) { + /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function + */ + if (iph1->retry_counter <= 0) { plog(LLV_ERROR, LOCATION, NULL, "phase1 negotiation failed due to time up. %s\n", isakmp_pindex(&iph1->index, iph1->msgid)); EVT_PUSH(iph1->local, iph1->remote, EVTT_PEER_NO_RESPONSE, NULL); - remph1(iph1); - delph1(iph1); return -1; } if (isakmp_send(iph1, iph1->sendbuf) < 0){ - iph1->retry_counter--; - - iph1->scr = sched_new(iph1->rmconf->retry_interval, - isakmp_ph1resend_stub, iph1); + plog(LLV_ERROR, LOCATION, NULL, + "phase1 negotiation failed due to send error. %s\n", + isakmp_pindex(&iph1->index, iph1->msgid)); + EVT_PUSH(iph1->local, iph1->remote, + EVTT_PEER_NO_RESPONSE, NULL); return -1; } @@ -1822,27 +1850,47 @@ void isakmp_ph2resend_stub(p) void *p; { + struct ph2handle *iph2; + + iph2=(struct ph2handle *)p; - (void)isakmp_ph2resend((struct ph2handle *)p); + if(isakmp_ph2resend(iph2) < 0){ + unbindph12(iph2); + remph2(iph2); + delph2(iph2); + } } int isakmp_ph2resend(iph2) struct ph2handle *iph2; { - if (iph2->retry_counter < 0) { + /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function + */ + if (iph2->ph1->status == PHASE1ST_EXPIRED){ + plog(LLV_ERROR, LOCATION, NULL, + "phase2 negotiation failed due to phase1 expired. %s\n", + isakmp_pindex(&iph2->ph1->index, iph2->msgid)); + return -1; + } + + if (iph2->retry_counter <= 0) { plog(LLV_ERROR, LOCATION, NULL, "phase2 negotiation failed due to time up. %s\n", isakmp_pindex(&iph2->ph1->index, iph2->msgid)); EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); unbindph12(iph2); - remph2(iph2); - delph2(iph2); return -1; } - if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) + if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){ + plog(LLV_ERROR, LOCATION, NULL, + "phase2 negotiation failed due to send error. %s\n", + isakmp_pindex(&iph2->ph1->index, iph2->msgid)); + EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); + return -1; + } plog(LLV_DEBUG, LOCATION, NULL, "resend phase2 packet %s\n", @@ -2709,10 +2757,8 @@ copy_ph1addresses(iph1, rmconf, remote, /* address portion must be grabbed from real remote address "remote" */ iph1->remote = dupsaddr(remote); - if (iph1->remote == NULL) { - delph1(iph1); + if (iph1->remote == NULL) return -1; - } /* * if remote has no port # (in case of initiator - from ACQUIRE msg) @@ -2753,7 +2799,6 @@ copy_ph1addresses(iph1, rmconf, remote, else iph1->local = dupsaddr(local); if (iph1->local == NULL) { - delph1(iph1); return -1; } port = NULL; @@ -2781,7 +2826,6 @@ copy_ph1addresses(iph1, rmconf, remote, default: plog(LLV_ERROR, LOCATION, NULL, "invalid family: %d\n", iph1->local->sa_family); - delph1(iph1); return -1; } #ifdef ENABLE_NATT @@ -2906,6 +2950,8 @@ isakmp_plist_set_all (struct payload_lis return buf; end: + if (buf != NULL) + vfree(buf); return NULL; } @@ -3021,6 +3067,7 @@ script_env_append(envp, envc, name, valu if (newenvp == NULL) { plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory: %s\n", strerror(errno)); + racoon_free(envitem); return -1; } diff -up ipsec-tools-0.6.5/src/racoon/algorithm.c.leaks ipsec-tools-0.6.5/src/racoon/algorithm.c --- ipsec-tools-0.6.5/src/racoon/algorithm.c.leaks 2005-06-29 00:38:02.000000000 +0200 +++ ipsec-tools-0.6.5/src/racoon/algorithm.c 2008-08-13 22:30:53.000000000 +0200 @@ -594,7 +594,7 @@ alg_ipsec_hmacdef(doi) for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++) if (doi == ipsec_hmacdef[i].doi) { plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n", - oakley_hmacdef[i].name); + ipsec_hmacdef[i].name); return &ipsec_hmacdef[i]; } return NULL; --- ipsec-tools-0.6.5/src/racoon/ipsec_doi.c.cve-2008-3651_3652 2008-08-28 17:51:37.000000000 -0400 +++ ipsec-tools-0.6.5/src/racoon/ipsec_doi.c 2008-08-28 17:55:13.000000000 -0400 @@ -274,10 +274,12 @@ found: plog(LLV_WARNING, LOCATION, NULL, "invalid DH parameter found, use default.\n"); oakley_dhgrp_free(sa->dhgrp); + sa->dhgrp=NULL; } if (oakley_setdhgroup(sa->dh_group, &sa->dhgrp) == -1) { sa->dhgrp = NULL; + racoon_free(sa); return NULL; } @@ -435,8 +437,10 @@ get_ph1approvalx(p, proposal, sap, check } found: - if (tsap->dhgrp != NULL) + if (tsap->dhgrp != NULL){ oakley_dhgrp_free(tsap->dhgrp); + tsap->dhgrp = NULL; + } if ((s = dupisakmpsa(s)) != NULL) { switch(check_level) { @@ -531,8 +535,10 @@ print_ph1mismatched(p, proposal) } } - if (sa.dhgrp != NULL) + if (sa.dhgrp != NULL){ oakley_dhgrp_free(sa.dhgrp); + sa.dhgrp=NULL; + } } /* @@ -740,7 +746,8 @@ t2isakmpsa(trns, sa) #ifdef HAVE_GSSAPI case OAKLEY_ATTR_GSS_ID: { - iconv_t cd; + int error = -1; + iconv_t cd = (iconv_t) -1; size_t srcleft, dstleft, rv; __iconv_const char *src; char *dst; @@ -753,12 +760,17 @@ t2isakmpsa(trns, sa) * compatible with this behavior. */ if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) { - sa->gssid = vmalloc(len); + if ((sa->gssid = vmalloc(len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to allocate memory\n"); + goto out; + } memcpy(sa->gssid->v, d + 1, len); plog(LLV_DEBUG, LOCATION, NULL, "received old-style gss id '%.*s' (len %d)\n", (int) sa->gssid->l, sa->gssid->v, (int) sa->gssid->l); - break; + error = 0; + goto out; } /* @@ -775,10 +787,14 @@ t2isakmpsa(trns, sa) "unable to initialize utf-16le -> latin1 " "conversion descriptor: %s\n", strerror(errno)); - break; + goto out; } - sa->gssid = vmalloc(len / 2); + if ((sa->gssid = vmalloc(len / 2)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to allocate memory\n"); + goto out; + } src = (__iconv_const char *)(d + 1); srcleft = len; @@ -800,12 +816,8 @@ t2isakmpsa(trns, sa) "be represented in latin1\n", rv, rv == 1 ? "" : "s"); } - (void) iconv_close(cd); - vfree(sa->gssid); - sa->gssid = NULL; - break; + goto out; } - (void) iconv_close(cd); /* XXX dstleft should always be 0; assert it? */ sa->gssid->l = (len / 2) - dstleft; @@ -813,6 +825,15 @@ t2isakmpsa(trns, sa) plog(LLV_DEBUG, LOCATION, NULL, "received gss id '%.*s' (len %d)\n", (int) sa->gssid->l, sa->gssid->v, (int) sa->gssid->l); + error = 0; +out: + if (cd != (iconv_t)-1) + (void)iconv_close(cd); + + if ((error != 0) && (sa->gssid != NULL)) { + vfree(sa->gssid); + sa->gssid = NULL; + } break; } #endif /* HAVE_GSSAPI */ @@ -1037,10 +1058,10 @@ cmp_aproppair_i(a, b) return -1; } - if (p->prop->proto_id != r->prop->proto_id) { + if (p->prop->spi_size != r->prop->spi_size) { plog(LLV_ERROR, LOCATION, NULL, "invalid spi size: %d.\n", - p->prop->proto_id); + p->prop->spi_size); return -1; } @@ -1305,7 +1326,7 @@ get_proppair(sa, mode) pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, tlen); if (pbuf == NULL) - return NULL; + goto bad; for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type != ISAKMP_NPTYPE_NONE; @@ -1315,7 +1336,7 @@ get_proppair(sa, mode) plog(LLV_ERROR, LOCATION, NULL, "Invalid payload type=%u\n", pa->type); vfree(pbuf); - return NULL; + goto bad; } prop = (struct isakmp_pl_p *)pa->ptr; @@ -1328,7 +1349,7 @@ get_proppair(sa, mode) plog(LLV_ERROR, LOCATION, NULL, "invalid proposal with length %d\n", proplen); vfree(pbuf); - return NULL; + goto bad; } /* check Protocol ID */ @@ -1348,7 +1369,7 @@ get_proppair(sa, mode) /* get transform */ if (get_transform(prop, pair, &num_p) < 0) { vfree(pbuf); - return NULL; + goto bad; } } vfree(pbuf); @@ -1410,10 +1431,14 @@ get_proppair(sa, mode) if (num_p <= 0) { plog(LLV_ERROR, LOCATION, NULL, "no Proposal found.\n"); - return NULL; + goto bad; } return pair; +bad: + if (pair != NULL) + racoon_free(pair); + return NULL; } /* @@ -1659,7 +1684,7 @@ get_sabysaprop(pp0, sa0) vchar_t *sa0; { struct prop_pair **pair; - vchar_t *newsa; + vchar_t *newsa = NULL; int newtlen; u_int8_t *np_p = NULL; struct prop_pair *p = NULL; @@ -1668,6 +1693,7 @@ get_sabysaprop(pp0, sa0) struct satrns *tr; int prophlen, trnslen; caddr_t bp; + int error = -1; /* get proposal pair */ pair = get_proppair(sa0, IPSECDOI_TYPE_PH2); @@ -1678,7 +1704,7 @@ get_sabysaprop(pp0, sa0) for (pp = pp0; pp; pp = pp->next) { if (pair[pp->prop_no] == NULL) - return NULL; + goto out; for (pr = pp->head; pr; pr = pr->next) { newtlen += (sizeof(struct isakmp_pl_p) @@ -1690,7 +1716,7 @@ get_sabysaprop(pp0, sa0) break; } if (p == NULL) - return NULL; + goto out; newtlen += ntohs(p->trns->h.len); } @@ -1700,7 +1726,7 @@ get_sabysaprop(pp0, sa0) newsa = vmalloc(newtlen); if (newsa == NULL) { plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n"); - return NULL; + goto out; } bp = newsa->v; @@ -1721,7 +1747,7 @@ get_sabysaprop(pp0, sa0) break; } if (p == NULL) - return NULL; + goto out; trnslen = ntohs(p->trns->h.len); @@ -1746,6 +1772,18 @@ get_sabysaprop(pp0, sa0) } } + error = 0; +out: + if (pair != NULL) + racoon_free(pair); + + if (error != 0) { + if (newsa != NULL) { + vfree(newsa); + newsa = NULL; + } + } + return newsa; } @@ -3297,7 +3335,7 @@ ipsecdoi_checkid1(iph1) } /* if phase 1 ID payload conformed RFC2407 4.6.2. */ - if (id_b->type == IPSECDOI_ID_IPV4_ADDR && + if (id_b->type == IPSECDOI_ID_IPV4_ADDR || id_b->type == IPSECDOI_ID_IPV6_ADDR) { if (id_b->proto_id == 0 && ntohs(id_b->port) != 0) { @@ -3627,9 +3665,12 @@ set_identifier(vpp, type, value) } new = vmalloc(sysdep_sa_len(sa)); - if (new == NULL) + if (new == NULL) { + racoon_free(sa); return -1; + } memcpy(new->v, sa, new->l); + racoon_free(sa); break; } case IDTYPE_ASN1DN: @@ -3922,9 +3963,9 @@ ipsecdoi_id2sockaddr(buf, saddr, prefixl + alen; for (; *p == 0xff; p++) { + plen += 8; if (plen >= max) break; - plen += 8; } if (plen < max) { --- ipsec-tools-0.6.6/src/racoon/gssapi.c.cve-2008-3651_3652 2008-08-28 18:03:02.000000000 -0400 +++ ipsec-tools-0.6.6/src/racoon/gssapi.c 2008-08-28 18:12:04.000000000 -0400 @@ -152,7 +152,6 @@ static int gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service) { char name[NI_MAXHOST]; - char *buf = NULL; struct sockaddr *sa; gss_buffer_desc name_token; OM_uint32 min_stat, maj_stat; @@ -162,8 +161,8 @@ gssapi_get_default_name(struct ph1handle if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0) return -1; - name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name); - name_token.value = buf; + name_token.length = asprintf((void *)&name_token.value, + "%s@%s", GSSAPI_DEF_NAME, name); maj_stat = gss_import_name(&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, service); if (GSS_ERROR(maj_stat)) {