Your message dated Tue, 19 Nov 2013 18:48:40 +0000 with message-id <[email protected]> and subject line Bug#727564: fixed in openvpn-auth-radius 2.1-5 has caused the Debian Bug report #727564, regarding openvpn-auth-radius: netmask computation is bogus to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 727564: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727564 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openvpn-auth-radius Version: 2.1-4 Severity: normal Tags: upstream patch Hello, The netmask computation is bogus, using for instance 10.11.12.13/29 leads to bogus values such as 255.255.255.248. (with a trailing dot). Worse, on amd64 there's an additional 0 leading to a buffer overflow which drops the route itself. The attached patch rewrites the computation in a much more simple and working way. It has already been submitted upstream on May 24th and today, without any answer so far. Samuel -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11.0 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bashSubject: [PATCH] Fix iroute netmask computation This rewrites computation of the netmask from CIDR netmask. It was previously completely buggy due to using j instead of k. Using doubles to store a 32bit value is not really safe, and using masks and shifts is much simpler actually. --- a/UserAuth.cpp 29 Aug 2012 10:22:57 -0000 1.10 +++ b/UserAuth.cpp 24 May 2013 21:48:26 -0000 @@ -1493,11 +1493,10 @@ int UserAuth::createCcdFile(PluginContex char framedroutes[4096]; char framednetmask_cidr[3]; // ->/24 char framednetmask[16]; // ->255.255.255.0 - char mask_part[6]; char framedgw[16]; char framedmetric[5]; //what is the biggest metric? - double d1,d2; + unsigned long d1,d2; int j=0,k=0; int len=0; @@ -1602,7 +1601,6 @@ int UserAuth::createCcdFile(PluginContex { j=0;k=0; //set everything back for the next route entry - memset(mask_part,0,6); memset(framednetmask_cidr,0,3); memset(framedip,0,16); memset(framednetmask,0,16); @@ -1674,78 +1672,31 @@ int UserAuth::createCcdFile(PluginContex //create string for client config file //transform framednetmask_cidr - d2=7; - d1=0; memset(framednetmask,0,16); - if (atoi(framednetmask_cidr)>32) + d2=atoi(framednetmask_cidr); + if (d2>32) { cerr << getTime() << "RADIUS-PLUGIN: Bad net CIDR netmask.\n"; } else { - for (k=1; k<=atoi(framednetmask_cidr); k++) + if (d2==32) { - d1=d1+pow(2,d2); - d2--; - - if (k==8) - { - sprintf(mask_part,"%.0lf.", d1); - d1=0; - d2=7; - strncat(framednetmask, mask_part, 4); - memset(mask_part,0,6); - } - if(k==16) - { - sprintf(mask_part,"%.0lf.", d1); - d1=0; - d2=7; - strncat(framednetmask, mask_part, 4); - memset(mask_part,0,6); - } - if(k==24) - { - sprintf(mask_part,"%.0lf.", d1); - d1=0; - d2=7; - strncat(framednetmask, mask_part, 4); - memset(mask_part,0,6); - } + d1=0xffffffffUL; } - if (j<8) + else if (d2==0) { - sprintf(mask_part,"%.0lf.", d1); - d1=0; - strncat(framednetmask, mask_part, 4); - strncat(framednetmask, "0.0.0", 5); - memset(mask_part,0,6); + d1=0x00000000UL; } - else if (j<16) + else { - sprintf(mask_part,"%.0lf.", d1); - d1=0; - strncat(framednetmask, mask_part, 4); - strncat(framednetmask, "0.0", 3); - memset(mask_part,0,6); + d1=((1UL<<d2)-1UL)<<(32-d2); } - else if (j<24) - { - sprintf(mask_part,"%.0lf.", d1); - d1=0; - strncat(framednetmask, mask_part, 4); - strncat(framednetmask, "0", 1); - memset(mask_part,0,6); - } - else if (j>24) - { - sprintf(mask_part,"%.0lf", d1); - d1=0; - strncat(framednetmask, mask_part, 4); - memset(mask_part,0,6); - } - - + snprintf(framednetmask, 16, "%lu.%lu.%lu.%lu", + (d1 >> 24) & 0xff, + (d1 >> 16) & 0xff, + (d1 >> 8) & 0xff, + (d1 ) & 0xff); } if (DEBUG (context->getVerbosity()))
--- End Message ---
--- Begin Message ---Source: openvpn-auth-radius Source-Version: 2.1-5 We believe that the bug you reported is fixed in the latest version of openvpn-auth-radius, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dr. Torge Szczepanek <[email protected]> (supplier of updated openvpn-auth-radius package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Nov 2013 15:44:23 +0100 Source: openvpn-auth-radius Binary: openvpn-auth-radius openvpn-auth-radius-dbg Architecture: source amd64 Version: 2.1-5 Distribution: unstable Urgency: low Maintainer: Cygnus Networks GmbH <[email protected]> Changed-By: Dr. Torge Szczepanek <[email protected]> Description: openvpn-auth-radius - OpenVPN RADIUS authentication module openvpn-auth-radius-dbg - debugging symbols for openvpn-plugin-radius Closes: 727564 Changes: openvpn-auth-radius (2.1-5) unstable; urgency=low . * Update maintainer address * Bump standards version - no changes needed * Fix "netmask computation is bogus" thanks to Samuel Thibault (Closes: #727564) Checksums-Sha1: be7fbd2d3e677a4136039783abc4ee368104fee1 1923 openvpn-auth-radius_2.1-5.dsc 40af554a64d76f62248ef798193fce06190cf470 4375 openvpn-auth-radius_2.1-5.diff.gz 7c1fa50caf295466ec7f5f42ae296f27ad3ada9b 91304 openvpn-auth-radius_2.1-5_amd64.deb c3bbd67484e0643c8df0d5bb6e1e58c30ee5a34f 450206 openvpn-auth-radius-dbg_2.1-5_amd64.deb Checksums-Sha256: f0b8e112c1b89cc75dbd59d9be8076d0903891fc86ba2262d7d371ab209f02eb 1923 openvpn-auth-radius_2.1-5.dsc 429a335edf05ad8f698a95a2f38c84006681831bcdb23321a33c0903ae789577 4375 openvpn-auth-radius_2.1-5.diff.gz c30c36e7d82dd5f3aaa36c3f1ceda2ba9de73ed693c0ce57184b71127eeee456 91304 openvpn-auth-radius_2.1-5_amd64.deb bb5f5ba3dafcd5d5a8957db3efa534c39b31246572eaf662e3fd4a6d6f51056f 450206 openvpn-auth-radius-dbg_2.1-5_amd64.deb Files: 802a45f090111fb2f7fefefc4da09e7a 1923 net extra openvpn-auth-radius_2.1-5.dsc e25fcad9f42bf04e590f549da8c34c9f 4375 net extra openvpn-auth-radius_2.1-5.diff.gz c5e016ee5a91356d5ba95046fdc7f7af 91304 net extra openvpn-auth-radius_2.1-5_amd64.deb 91033fbefd0f051bd8df83ca24c48551 450206 debug extra openvpn-auth-radius-dbg_2.1-5_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSi67AAAoJEC0aqs8kRERCxnUP/jzT2ZnGh7qMI+Ptk3K8KNik K+NvCp8bp2XNHJhsY9/qHXD/Yzkl+YHeL+aCTfVdHM5ofHn72wIqM6Tg0TV/Cvg3 2KlHzScsi1cD1oQ8Wf3B19/ED5H95AJex06KZU196k0T+rXF2OnJoqQRoLFgpAQ4 AkPiSJezmXmATTLzG+lqYEyMD3kQyORnwkO2sYBzrqPz3BfIDNECWuHPNr8u7nTM 4xp5XLH2/S6AE2FC2r/QpDPrZ97eEChr/w6Zqu5XBGxp29/0v5u0VmY1bPUfWK4C AgaF8yFgA2XXHpyd9i8w0QCAnpdQRl/YCVHKR1tAfgpRqXj+jqXYpp1RacBPg0w5 KKk+x9fLYmtT5x05OnmltZpo+/nR69VQ3lShnJ0GSYgSf7C22+WHMgTcWLmNHlSM Q1WA3T+7nzCYcf06EoPNaT55TmQOUNUKtEU/pnbzZZe6VhCb4tSvOOEh/TkiO/8/ 2mKSrPm1Q/e5aRXT7PfVCG1rLVqDpUPiC0Bk9nOqIY592LiUCEFLRBPseWEXA7u3 ryZNfGOiWOs1BPPucnEWXHVCsOimNicIHKhJ9GWj877WCHI2kPnj0YyAvzfKUM8e I5W+RpPZOcgXNCBxzqIckV/bzkySkxdMywfhTdFeFhSO1Ue+QQSYsa+lhK/amjFC F97EktMeNonaiYIF5CzP =LUEu -----END PGP SIGNATURE-----
--- End Message ---
