From: David McCullough <David_Mccullough@securecomputing.com>
To: Eran Ben-Avi <eranpublic@yahoo.com>
Cc: linux-crypto@vger.kernel.org, dev@lists.openswan.org
Subject: Re: improper initialization of ipsec_table in openswan 2.4.9
Date: Thu, 8 Nov 2007 10:29:13 +1000 [thread overview]
Message-ID: <20071108002913.GA27507@securecomputing.com> (raw)
In-Reply-To: <537818.31005.qm@web62507.mail.re1.yahoo.com>
[-- Attachment #1: Type: text/plain, Size: 1750 bytes --]
Jivin Eran Ben-Avi lays it down ...
> Hi,
>
> While working with openswan 2.4.9 on kernel 2.6.22.7 I found a bug in file sysctl_net_ipsec.c.
> The initialization of ipsec_table is improper for newer kernel versions since ctl_table structure was updated.
> The 7th parameter which refer to *parent was initialized mistakenly with *proc_handler as it was in older kernel versions.
> As a result ipsec proc entries under /proc/sys/net/ipsec were created as directories instead of files which led to improper behavior of openswan.
> Patch attached - the patch is only for newer kernel versions.Ofcourse it should be updated for backward compatibility.
The newly released 2.4.10 version has a fix for this included, but it
only names the one field to avoid the structure alignment changes.
Probably more a topic for the openswan dev list.
I figure it needs to be more like the attached changes to 2.4.9 going forward.
Will repost one I update to 2.4.10 (and then probably 2.5...) ;-)
Cheers,
Davidm
> --- linux/net/ipsec/sysctl_net_ipsec.c 2004-07-10 17:11:18.000000000 -0200
> +++ ../openswan-2.4.9_a/linux/net/ipsec/sysctl_net_ipsec.c 2007-11-06 11:13:13.000000000 -0200
> @@ -74,45 +74,45 @@
> static ctl_table ipsec_table[] = {
> #ifdef CONFIG_KLIPS_DEBUG
> { NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
> - sizeof(int), 0644, NULL, &proc_dointvec},
> + sizeof(int), 0644, NULL, NULL, &proc_dointvec},
> { NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
> - sizeof(int), 0644, NULL, &proc_dointvec},
> + sizeof(int), 0644, NULL, NULL, &proc_dointvec},
....
--
David McCullough, david_mccullough@securecomputing.com, Ph:+61 734352815
Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com
[-- Attachment #2: sysctl.diff --]
[-- Type: text/x-diff, Size: 6495 bytes --]
Index: openswan/linux/net/ipsec/sysctl_net_ipsec.c
===================================================================
RCS file: /cvs/sw/new-wave/openswan/linux/net/ipsec/sysctl_net_ipsec.c,v
retrieving revision 1.2
diff -u -r1.2 sysctl_net_ipsec.c
--- openswan/linux/net/ipsec/sysctl_net_ipsec.c 26 Apr 2007 13:21:26 -0000 1.2
+++ openswan/linux/net/ipsec/sysctl_net_ipsec.c 8 Nov 2007 00:21:08 -0000
@@ -73,58 +73,171 @@
};
static ctl_table ipsec_table[] = {
+
#ifdef CONFIG_KLIPS_DEBUG
- { NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_TUNNEL, "debug_tunnel", &debug_tunnel,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_EROUTE, "debug_eroute", &debug_eroute,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_SPI, "debug_spi", &debug_spi,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_RADIJ, "debug_radij", &debug_radij,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_NETLINK, "debug_netlink", &debug_netlink,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_XFORM, "debug_xform", &debug_xform,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_RCV, "debug_rcv", &debug_rcv,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_PFKEY, "debug_pfkey", &debug_pfkey,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_DEBUG_VERBOSE, "debug_verbose",&sysctl_ipsec_debug_verbose,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ {
+ .ctl_name = NET_IPSEC_DEBUG_AH,
+ .procname = "debug_ah",
+ .data = &debug_ah,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_ESP,
+ .procname = "debug_esp",
+ .data = &debug_esp,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_TUNNEL,
+ .procname = "debug_tunnel",
+ .data = &debug_tunnel,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_EROUTE,
+ .procname = "debug_eroute",
+ .data = &debug_eroute,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_SPI,
+ .procname = "debug_spi",
+ .data = &debug_spi,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_RADIJ,
+ .procname = "debug_radij",
+ .data = &debug_radij,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_NETLINK,
+ .procname = "debug_netlink",
+ .data = &debug_netlink,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_XFORM,
+ .procname = "debug_xform",
+ .data = &debug_xform,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_RCV,
+ .procname = "debug_rcv",
+ .data = &debug_rcv,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_PFKEY,
+ .procname = "debug_pfkey",
+ .data = &debug_pfkey,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_DEBUG_VERBOSE,
+ .procname = "debug_verbose",
+ .data = &sysctl_ipsec_debug_verbose,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
#ifdef CONFIG_KLIPS_IPCOMP
- { NET_IPSEC_DEBUG_IPCOMP, "debug_ipcomp", &sysctl_ipsec_debug_ipcomp,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ {
+ .ctl_name = NET_IPSEC_DEBUG_IPCOMP,
+ .procname = "debug_ipcomp",
+ .data = &sysctl_ipsec_debug_ipcomp,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
#endif /* CONFIG_KLIPS_IPCOMP */
#ifdef CONFIG_KLIPS_REGRESS
- { NET_IPSEC_REGRESS_PFKEY_LOSSAGE, "pfkey_lossage",
- &sysctl_ipsec_regress_pfkey_lossage,
- sizeof(int), 0644, NULL, &proc_dointvec},
+ {
+ .ctl_name = NET_IPSEC_REGRESS_PFKEY_LOSSAGE,
+ .procname = "pfkey_lossage",
+ .data = &sysctl_ipsec_regress_pfkey_lossage,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
#endif /* CONFIG_KLIPS_REGRESS */
#endif /* CONFIG_KLIPS_DEBUG */
- { NET_IPSEC_ICMP, "icmp", &sysctl_ipsec_icmp,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_INBOUND_POLICY_CHECK, "inbound_policy_check", &sysctl_ipsec_inbound_policy_check,
- sizeof(int), 0644, NULL, &proc_dointvec},
- { NET_IPSEC_TOS, "tos", &sysctl_ipsec_tos,
- sizeof(int), 0644, NULL, &proc_dointvec},
- {0}
+
+ {
+ .ctl_name = NET_IPSEC_ICMP,
+ .procname = "icmp",
+ .data = &sysctl_ipsec_icmp,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_INBOUND_POLICY_CHECK,
+ .procname = "inbound_policy_check",
+ .data = &sysctl_ipsec_inbound_policy_check,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = NET_IPSEC_TOS,
+ .procname = "tos",
+ .data = &sysctl_ipsec_tos,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec
+ },
+ {
+ .ctl_name = 0
+ }
};
static ctl_table ipsec_net_table[] = {
- { NET_IPSEC, "ipsec", NULL, 0, 0555, ipsec_table },
- { 0 }
+ {
+ .ctl_name = NET_IPSEC,
+ .procname = "ipsec",
+ .mode = 0555,
+ .child = ipsec_table
+ },
+ {
+ .ctl_name = 0
+ }
};
static ctl_table ipsec_root_table[] = {
- { CTL_NET, "net", NULL, 0, 0555, ipsec_net_table },
- { 0 }
+ {
+ .ctl_name = CTL_NET,
+ .procname = "net",
+ .mode = 0555,
+ .child = ipsec_net_table
+ },
+ {
+ .ctl_name = 0
+ }
};
static struct ctl_table_header *ipsec_table_header;
next prev parent reply other threads:[~2007-11-08 0:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-06 12:04 improper initialization of ipsec_table in openswan 2.4.9 Eran Ben-Avi
2007-11-08 0:29 ` David McCullough [this message]
2007-11-08 3:18 ` [Openswan dev] " Paul Wouters
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071108002913.GA27507@securecomputing.com \
--to=david_mccullough@securecomputing.com \
--cc=dev@lists.openswan.org \
--cc=eranpublic@yahoo.com \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.