diff -Naur openswan-2.6.25/programs/pluto/connections.c openswan-2.6.25-CVE/programs/pluto/connections.c --- openswan-2.6.25/programs/pluto/connections.c 2010-03-21 13:39:35.000000000 -0400 +++ openswan-2.6.25-CVE/programs/pluto/connections.c 2010-09-20 16:05:02.718805413 -0400 @@ -319,6 +319,11 @@ set_debugging(old_cur_debugging); #endif pfreeany(c->name); +#ifdef XAUTH + pfreeany(c->cisco_dns_info); + pfreeany(c->cisco_domain_info); + pfreeany(c->cisco_banner); +#endif #ifdef DYNAMICDNS pfreeany(c->dnshostname); #endif /* DYNAMICDNS */ @@ -756,6 +761,12 @@ c->name = clone_str(c->name, "connection name"); +#ifdef XAUTH + c->cisco_dns_info = clone_str(c->cisco_dns_info, "connection cisco_dns_info"); + c->cisco_domain_info = clone_str(c->cisco_domain_info, "connection cisco_domain_info"); + c->cisco_banner = clone_str(c->cisco_banner, "connection cisco_banner"); +#endif + #ifdef DYNAMICDNS c->dnshostname = clone_str(c->dnshostname, "connection dnshostname"); #endif /* DYNAMICDNS */ @@ -1185,7 +1196,17 @@ c->name = wm->name; c->connalias = wm->connalias; +#ifdef XAUTH_USEPAM + c->pamh = NULL; +#endif + +#ifdef XAUTH + c->cisco_dns_info = NULL; + c->cisco_domain_info = NULL; + c->cisco_banner = NULL; +#endif #ifdef DYNAMICDNS + c->dnshostname = NULL; if (wm->dnshostname) c->dnshostname = wm->dnshostname; #endif /* DYNAMICDNS */ @@ -1290,11 +1311,6 @@ /* Cisco interop: remote peer type */ c->remotepeertype=wm->remotepeertype; - /* Initializing Cisco dns and domain info */ - if (c->remotepeertype == CISCO) { - c->cisco_dns_info[0] ='\0'; - c->cisco_domain_info[0] ='\0'; - } c->metric = wm->metric; diff -Naur openswan-2.6.25/programs/pluto/connections.h openswan-2.6.25-CVE/programs/pluto/connections.h --- openswan-2.6.25/programs/pluto/connections.h 2010-03-21 13:39:35.000000000 -0400 +++ openswan-2.6.25-CVE/programs/pluto/connections.h 2010-09-20 16:06:35.588389746 -0400 @@ -254,13 +254,15 @@ #ifdef DYNAMICDNS char *dnshostname; #endif /* DYNAMICDNS */ -#ifdef MODECFG +#ifdef XAUTH +# ifdef MODECFG ip_address modecfg_dns1; ip_address modecfg_dns2; ip_address modecfg_wins1; ip_address modecfg_wins2; - char cisco_dns_info[50]; - char cisco_domain_info[50]; + char *cisco_dns_info; + char *cisco_domain_info; +# endif #endif u_int8_t metric; /* metric for tunnel routes */ #ifdef HAVE_STATSD diff -Naur openswan-2.6.25/programs/pluto/kernel.c openswan-2.6.25-CVE/programs/pluto/kernel.c --- openswan-2.6.25/programs/pluto/kernel.c 2010-03-21 13:39:35.000000000 -0400 +++ openswan-2.6.25-CVE/programs/pluto/kernel.c 2010-09-20 16:09:19.059388874 -0400 @@ -421,10 +421,17 @@ "PLUTO_STACK='%s' " "%s " /* possible metric */ "PLUTO_CONN_POLICY='%s' " - "%s " /* XAUTH username */ - "%s " /* PLUTO_MY_SRCIP */ +#ifdef XAUTH + "%s " /* XAUTH username - if any */ +#endif + "%s " /* PLUTO_MY_SRCIP - if any */ +#ifdef XAUTH +# ifdef MODECFG + "PLUTO_CISCO_DNS_INFO='%s' " "PLUTO_CISCO_DOMAIN_INFO='%s' " +# endif /* MODECFG */ +#endif /* XAUTH */ , c->name , c->interface->ip_dev->id_vname , nexthop_str @@ -446,10 +453,17 @@ , kernel_ops->kern_name , metric_str , prettypolicy(c->policy) +#ifdef XAUTH , secure_xauth_username_str +#endif , srcip_str +#ifdef XAUTH +# ifdef MODECFG , c->cisco_dns_info - , c->cisco_domain_info); + , c->cisco_domain_info +# endif /* MODECFG */ +#endif /* XAUTH */ + ); /* * works for both old and new way of snprintf() returning * eiter -1 or the output length -- by Carsten Schlote diff -Naur openswan-2.6.25/programs/pluto/xauth.c openswan-2.6.25-CVE/programs/pluto/xauth.c --- openswan-2.6.25/programs/pluto/xauth.c 2010-03-21 13:39:35.000000000 -0400 +++ openswan-2.6.25-CVE/programs/pluto/xauth.c 2010-09-20 16:11:01.633403639 -0400 @@ -39,6 +39,8 @@ #include #include +#include "oswalloc.h" + #include "sysdep.h" #include "oswconf.h" #include "constants.h" @@ -912,12 +914,10 @@ reply[count].resp_retcode = 0; reply[count].resp = string; - string = NULL; } } *response = reply; - reply = NULL; return PAM_SUCCESS; } #endif @@ -1626,6 +1626,39 @@ return STF_OK; } +/* Auxillary function for modecfg_inR1() */ +static char * +cisco_stringify(pb_stream *pbs, const char *attr_name) +{ + char strbuf[500]; /* Cisco maximum unknown - arbitrary choice */ + size_t len = pbs_left(pbs); + + if (len > sizeof(strbuf)-1) + len = sizeof(strbuf)-1; + + memcpy(strbuf, pbs->cur, len); + strbuf[len] = '\0'; + /* ' is poison to the way this string will be used + * in system() and hence shell. Remove any. + */ + { + char *s = strbuf; + + for (;;) + { + s = strchr(s, '\''); + if (s == NULL) + break; + *s = '?'; + } + } + (void)sanitize_string(strbuf, sizeof(strbuf)); + DBG(DBG_CONTROL, DBG_log("Received Cisco %s: %s", attr_name, strbuf)); + return clone_str(strbuf, attr_name); +} + + + /** STATE_MODE_CFG_R1: * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK) * @@ -1639,7 +1672,6 @@ pb_stream *attrs = &md->chain[ISAKMP_NEXT_ATTR]->pbs; int resp = LEMPTY; struct payload_digest *p; - bool first_dns_flag = TRUE; DBG(DBG_CONTROL, DBG_log("modecfg_inR1")); openswan_log("received mode cfg reply"); @@ -1791,14 +1823,30 @@ addrtot(&a, 0, caddr, sizeof(caddr)); openswan_log("Received DNS %s, len=%d", caddr, strlen(caddr)); - if (first_dns_flag) { - strcpy(st->st_connection->cisco_dns_info, caddr); - first_dns_flag = 0; - } - else { - strcat(st->st_connection->cisco_dns_info, " "); - strcat(st->st_connection->cisco_dns_info, caddr); - } + { + struct connection *c = st->st_connection; + char *old = c->cisco_dns_info; + + if (old == NULL) + { + c->cisco_dns_info = clone_str(caddr, "cisco_dns_info"); + } + else + { + /* concatenate new IP address string on end of + * existing string, separated by ' '. + */ + size_t sz_old = strlen(old); + size_t sz_added = strlen(caddr) + 1; + char *new = alloc_bytes(sz_old + 1 + sz_added, "cisco_dns_info+"); + + memcpy(new, old, sz_old); + *(new + sz_old) =' '; + memcpy(new + sz_old + 1, caddr, sz_added); + c->cisco_dns_info = new; + pfree(old); + } + } DBG_log("Cisco DNS info: %s, len=%d", st->st_connection->cisco_dns_info, strlen(st->st_connection->cisco_dns_info)); } @@ -1812,29 +1860,18 @@ break; case CISCO_BANNER: - { - char test[500]; - DBG_dump("Received cisco banner: ", strattr.cur, pbs_left(&strattr)); - strncpy(test,strattr.cur, pbs_left(&strattr)); - test[pbs_left(&strattr)]='\0'; - DBG_log("Cisco banner: %s", test); - resp |= LELEM(attr.isaat_af_type); - } - break; - + { + st->st_connection->cisco_banner = cisco_stringify(&strattr,"Cisco Banner"); + resp |= LELEM(attr.isaat_af_type); + break; + } case CISCO_DEF_DOMAIN: - { - char tmp[50]; - DBG_dump("Received cisco def domain: ", strattr.cur, pbs_left(&strattr)); - strncpy(tmp, strattr.cur, pbs_left(&strattr)); - tmp[pbs_left(&strattr)]='\0'; - DBG_log("Cisco defined domain: %s", tmp); - strcpy(st->st_connection->cisco_domain_info, tmp); - DBG_log("Cisco defined domain: %s", st->st_connection->cisco_domain_info); - resp |= LELEM(attr.isaat_af_type); - } - break; + { + st->st_connection->cisco_domain_info = cisco_stringify(&strattr,"Cisco Domain"); + resp |= LELEM(attr.isaat_af_type); + break; + } case CISCO_SPLIT_INC: {