Package Details: ike 2.2.1-10

Git Clone URL: https://aur.archlinux.org/ike.git (read-only, click to copy)
Package Base: ike
Description: Shrew Soft VPN client for Linux
Upstream URL: http://www.shrew.net
Licenses: BSD
Submitter: tmhedberg
Maintainer: None
Last Packager: rockybulwinkle
Votes: 27
Popularity: 0.000000
First Submitted: 2011-12-06 17:01 (UTC)
Last Updated: 2025-04-17 14:10 (UTC)

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 .. 11 Next › Last »

mkurz commented on 2023-03-23 20:50 (UTC)

@rockybulwinkle It works! Great work, thank you very much!

rockybulwinkle commented on 2023-03-23 20:19 (UTC)

Pushed my changes, try them out @murkz

rockybulwinkle commented on 2023-03-23 19:32 (UTC)

@mkurz, I don't see how removing that delete would solve the double free issue. Just below the delete, data_buff is set to the newly allocated memory (new_buff).

I think your changes would hide an already-existing use-after-free bug. If "data_buff" was already freed, and we just copied data out of it, then what the heck did we just copy?

I'm working on my own fix right now. The root cause in my test case (missing configuration data) appears to be in _CONFIG_MANAGER::file_vpn_load. When config.get_ispublic() is true, if sites_all isn't set, then it adds an empty string to the path. That alone isn't a problem, but then it goes to try to add a delimiter to "size-1", which causes an integer overflow. It doesn't appear ins was written to detect this edge case.

The EOF patch looks reasonable.

mkurz commented on 2023-03-23 18:43 (UTC)

@rockybulwinkle Also see https://github.com/dpolitis/shrew.net-vpn-openssl1.1.1/pull/3/files

mkurz commented on 2023-03-23 17:43 (UTC)

@rockybulwinkle can you please apply the patches in my previous two comments? Thanks!

mkurz commented on 2023-03-23 17:38 (UTC)

Another fix is necessary to make ikec run on arm (aarch64): We should not compare unsigned chars to EOF (-1), so here the fix is to avoid casting the return value of fgetc, otherwise the config will not be loaded correctly.

The exactly same problem happened here: https://bugs.webkit.org/show_bug.cgi?id=144439

Here is the patch:

diff --git a/.SRCINFO b/.SRCINFO
index 495888d..bca9bb0 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -17,10 +17,12 @@ pkgbase = ike
    source = openssl-1.1.0.patch
    source = cmake-threadlib.patch
    source = double_free_or_corruption.patch
+   source = fix_file_eof.patch
    md5sums = 3dac18a2da5809ccb38c50cd4a455897
    md5sums = 3cb3ff3b663805f76be1efd527ae436c
    md5sums = 57348fe9112555c0204709c1716e5fff
    md5sums = 4c823bae9e006cf7bfb11fa633a59837
    md5sums = a861705be53c8409f82c5e97398267a6
+   md5sums = 08da74444a28bbd0d2ed056a293e3d72

 pkgname = ike
diff --git a/PKGBUILD b/PKGBUILD
index 042b3f8..94f6c90 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -14,12 +14,13 @@ depends=(openssl ncurses libedit)
 makedepends=(cmake)
 optdepends=(openldap)
 backup=(etc/iked.conf)
-source=("http://www.shrew.net/download/ike/ike-$pkgver-release.tgz" iked.service openssl-1.1.0.patch cmake-threadlib.patch double_free_or_corruption.patch)
+source=("http://www.shrew.net/download/ike/ike-$pkgver-release.tgz" iked.service openssl-1.1.0.patch cmake-threadlib.patch double_free_or_corruption.patch fix_file_eof.patch)
 md5sums=('3dac18a2da5809ccb38c50cd4a455897'
          '3cb3ff3b663805f76be1efd527ae436c'
          '57348fe9112555c0204709c1716e5fff'
          '4c823bae9e006cf7bfb11fa633a59837'
          'a861705be53c8409f82c5e97398267a6'
+         '08da74444a28bbd0d2ed056a293e3d72'
          )

 prepare () {
@@ -27,6 +28,7 @@ prepare () {
     patch -p1 -i "$srcdir/openssl-1.1.0.patch"
     patch -p1 -i "$srcdir/cmake-threadlib.patch"
     patch -p1 -i "$srcdir/double_free_or_corruption.patch"
+    patch -p1 -i "$srcdir/fix_file_eof.patch"
     sed -i 's/define "parser_class_name"/define parser_class_name/' ./source/iked/conf.parse.yy
 }

diff --git a/fix_file_eof.patch b/fix_file_eof.patch
new file mode 100644
index 0000000..ea8e445
--- /dev/null
+++ b/fix_file_eof.patch
@@ -0,0 +1,24 @@
+diff --git a/source/libike/manager.file.cpp b/source/libike/manager.file.cpp
+index 67a50ad..babd352 100644
+--- a/source/libike/manager.file.cpp
++++ b/source/libike/manager.file.cpp
+@@ -203,8 +203,8 @@ bool _CONFIG_MANAGER::file_vpn_load( CONFIG & config, const char * path, bool sa
+ 
+   while( true )
+   {
+-      char    next;
+-      char    type;
++      int     next;
++      int     type;
+       BDATA   name;
+       BDATA   data;
+ 
+@@ -405,7 +405,7 @@ bool _CONFIG_MANAGER::file_vpn_del( CONFIG & config )
+ 
+ bool read_line_pcf( FILE * fp, BDATA & name, BDATA & data )
+ {
+-  char    next;
++  int     next;
+   BDATA   line;
+ 
+   name.del();

mkurz commented on 2023-03-23 17:34 (UTC)

When running ikec on arm (aarch64) you run into "double free or corruption". The "double free or corruption" error occurs when memory is freed twice or when memory is freed that was not previously allocated. In libidb.cpp, it seems that the data_buff pointer is being freed twice: once in the grow method and again in the ~_BDATA destructor.

To fix that we can just don't try to free the memory in the grow method. Here is the patch:

diff --git a/.SRCINFO b/.SRCINFO
index b6aa261..495888d 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -16,9 +16,11 @@ pkgbase = ike
    source = iked.service
    source = openssl-1.1.0.patch
    source = cmake-threadlib.patch
+   source = double_free_or_corruption.patch
    md5sums = 3dac18a2da5809ccb38c50cd4a455897
    md5sums = 3cb3ff3b663805f76be1efd527ae436c
    md5sums = 57348fe9112555c0204709c1716e5fff
    md5sums = 4c823bae9e006cf7bfb11fa633a59837
+   md5sums = a861705be53c8409f82c5e97398267a6

 pkgname = ike
diff --git a/PKGBUILD b/PKGBUILD
index 31b350e..042b3f8 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -14,17 +14,19 @@ depends=(openssl ncurses libedit)
 makedepends=(cmake)
 optdepends=(openldap)
 backup=(etc/iked.conf)
-source=("http://www.shrew.net/download/ike/ike-$pkgver-release.tgz" iked.service openssl-1.1.0.patch cmake-threadlib.patch)
+source=("http://www.shrew.net/download/ike/ike-$pkgver-release.tgz" iked.service openssl-1.1.0.patch cmake-threadlib.patch double_free_or_corruption.patch)
 md5sums=('3dac18a2da5809ccb38c50cd4a455897'
          '3cb3ff3b663805f76be1efd527ae436c'
          '57348fe9112555c0204709c1716e5fff'
          '4c823bae9e006cf7bfb11fa633a59837'
+         'a861705be53c8409f82c5e97398267a6'
          )

 prepare () {
     cd "$srcdir/ike"
     patch -p1 -i "$srcdir/openssl-1.1.0.patch"
     patch -p1 -i "$srcdir/cmake-threadlib.patch"
+    patch -p1 -i "$srcdir/double_free_or_corruption.patch"
     sed -i 's/define "parser_class_name"/define parser_class_name/' ./source/iked/conf.parse.yy
 }

diff --git a/double_free_or_corruption.patch b/double_free_or_corruption.patch
new file mode 100644
index 0000000..e04c6a8
--- /dev/null
+++ b/double_free_or_corruption.patch
@@ -0,0 +1,12 @@
+diff --git a/source/libidb/libidb.cpp b/source/libidb/libidb.cpp
+index 672198a..d66620e 100644
+--- a/source/libidb/libidb.cpp
++++ b/source/libidb/libidb.cpp
+@@ -99,7 +99,6 @@ size_t _BDATA::grow( size_t new_real )
+       if( data_buff != NULL )
+       {
+           memcpy( new_buff, data_buff, data_real );
+-          delete [] data_buff;
+       }
+ 
+       data_buff = new_buff;

rockybulwinkle commented on 2022-11-08 21:06 (UTC)

Thanks manuelino. I think your approach may be better. I'll have to take a closer look tonight. Generally, disabling compiler warnings like I did is more of a "bandaid" than a "fix".

manuelino commented on 2022-11-08 20:52 (UTC)

Dumped to pastebin.

https://pastebin.com/hnPzUS6z

manuelino commented on 2022-11-08 20:49 (UTC)

Aaaand... I messed up the Markdown formatting.

« First ‹ Previous 1 2 3 4 5 6 7 .. 11 Next › Last »