diff -urNp openswan-2.6.32-cvs-patched/programs/pluto/ikev2_parent.c openswan-2.6.32-current/programs/pluto/ikev2_parent.c
--- openswan-2.6.32-cvs-patched/programs/pluto/ikev2_parent.c 2011-03-02 10:47:39.000000000 -0500
+++ openswan-2.6.32-current/programs/pluto/ikev2_parent.c 2011-05-11 17:44:53.281218745 -0400
@@ -123,7 +123,7 @@ ikev2parent_outI1(int whack_sock
st->st_msgid_nextuse = 0;
st->st_try = try;
- if (HAS_IPSEC_POLICY(policy))
+ if (HAS_IPSEC_POLICY(policy)) {
#ifdef HAVE_LABELED_IPSEC
st->sec_ctx = NULL;
if( uctx != NULL) {
@@ -137,6 +137,7 @@ ikev2parent_outI1(int whack_sock
, st->sec_ctx
#endif
);
+ }
if (predecessor == NULL)
openswan_log("initiating v2 parent SA");
diff -urNp openswan-2.6.32-cvs-patched/programs/pluto/initiate.c openswan-2.6.32-current/programs/pluto/initiate.c
--- openswan-2.6.32-cvs-patched/programs/pluto/initiate.c 2011-03-02 10:47:39.000000000 -0500
+++ openswan-2.6.32-current/programs/pluto/initiate.c 2011-05-11 17:40:11.729493789 -0400
@@ -775,19 +775,17 @@ initiate_ondemand_body(struct find_oppo_
#ifdef HAVE_LABELED_IPSEC
- char sec_ctx_value[256];
+ char sec_ctx_value[MAX_SECCTX_LEN];
memset(sec_ctx_value, 0, sizeof(sec_ctx_value));
if(uctx != NULL) {
memcpy(sec_ctx_value, uctx->sec_ctx_value, uctx->ctx_len);
}
- snprintf(demandbuf, 256, "initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s with security context %s"
- , ours, ourport, his, hisport, b->transport_proto
- , oppo_step_name[b->step], b->want, sec_ctx_value);
-#else
+ DBG(DBG_CONTROLMORE, DBG_log("received security label string: %s", sec_ctx_value));
+#endif
+
snprintf(demandbuf, 256, "initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s"
, ours, ourport, his, hisport, b->transport_proto
, oppo_step_name[b->step], b->want);
-#endif
if(DBGP(DBG_OPPOINFO)) {
openswan_log("%s", demandbuf);
diff -urNp openswan-2.6.32-cvs-patched/programs/pluto/spdb_v1_struct.c openswan-2.6.32-current/programs/pluto/spdb_v1_struct.c
--- openswan-2.6.32-cvs-patched/programs/pluto/spdb_v1_struct.c 2011-03-02 10:47:39.000000000 -0500
+++ openswan-2.6.32-current/programs/pluto/spdb_v1_struct.c 2011-05-11 18:18:03.326070297 -0400
@@ -105,11 +105,22 @@ parse_secctx_attr (pb_stream *pbs, struc
return FALSE;
}
- /* reading security label*/
- memcpy(sec_ctx_value, pbs->cur, pbs_left(pbs) <= MAX_SECCTX_LEN ? pbs_left(pbs) : MAX_SECCTX_LEN);
- i = pbs_left(pbs) <= MAX_SECCTX_LEN ? pbs_left(pbs) : MAX_SECCTX_LEN;
+ /*do not process security labels longer than MAX_SECCTX_LEN*/
+ if(pbs_left(pbs) > MAX_SECCTX_LEN) {
+ DBG(DBG_PARSING, DBG_log("received security ctx longer than MAX_SECCTX_LEN which is not supported"));
+ return FALSE;
+ }
- /* checking if the received security label contains \0 */
+ /* reading security label*/
+ //memcpy(sec_ctx_value, pbs->cur, pbs_left(pbs) <= MAX_SECCTX_LEN ? pbs_left(pbs) : MAX_SECCTX_LEN);
+ //i = pbs_left(pbs) <= MAX_SECCTX_LEN ? pbs_left(pbs) : MAX_SECCTX_LEN;
+ memcpy(sec_ctx_value, pbs->cur, pbs_left(pbs));
+ i = pbs_left(pbs);
+
+ /* checking if the received security label contains \0,
+ * We expect received label to have '\0', however to be
+ * compliant with implementations that dont send \0
+ * we can include \0 if there is space left in the buffer.*/
if( sec_ctx_value[i-1] != '\0') {
/*check if we have space left and then append \0*/
if (i < MAX_SECCTX_LEN) {
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
e8916e5cb6487118130934db089d8fa5
>
files
>
13
