Hi,
While working with openswan 2.4.9 on kernel 2.6.22.7 I found a bug in file sysctl_net_ipsec.c.
The initialization of ipsec_table is improper for newer kernel versions since ctl_table structure was updated.
The 7th parameter which refer to *parent was initialized mistakenly with *proc_handler as it was in older kernel versions.
As a result ipsec proc entries under /proc/sys/net/ipsec were created as directories instead of files which led to improper behavior of openswan.
Patch attached - the patch is only for newer kernel versions.Ofcourse it should be updated for backward compatibility.
Regards,
Eran Ben-Avi
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Jivin Eran Ben-Avi lays it down ...
> Hi,
>
> While working with openswan 2.4.9 on kernel 2.6.22.7 I found a bug in file sysctl_net_ipsec.c.
> The initialization of ipsec_table is improper for newer kernel versions since ctl_table structure was updated.
> The 7th parameter which refer to *parent was initialized mistakenly with *proc_handler as it was in older kernel versions.
> As a result ipsec proc entries under /proc/sys/net/ipsec were created as directories instead of files which led to improper behavior of openswan.
> Patch attached - the patch is only for newer kernel versions.Ofcourse it should be updated for backward compatibility.
The newly released 2.4.10 version has a fix for this included, but it
only names the one field to avoid the structure alignment changes.
Probably more a topic for the openswan dev list.
I figure it needs to be more like the attached changes to 2.4.9 going forward.
Will repost one I update to 2.4.10 (and then probably 2.5...) ;-)
Cheers,
Davidm
> --- linux/net/ipsec/sysctl_net_ipsec.c 2004-07-10 17:11:18.000000000 -0200
> +++ ../openswan-2.4.9_a/linux/net/ipsec/sysctl_net_ipsec.c 2007-11-06 11:13:13.000000000 -0200
> @@ -74,45 +74,45 @@
> static ctl_table ipsec_table[] = {
> #ifdef CONFIG_KLIPS_DEBUG
> { NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
> - sizeof(int), 0644, NULL, &proc_dointvec},
> + sizeof(int), 0644, NULL, NULL, &proc_dointvec},
> { NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
> - sizeof(int), 0644, NULL, &proc_dointvec},
> + sizeof(int), 0644, NULL, NULL, &proc_dointvec},
....
--
David McCullough, [email protected], Ph:+61 734352815
Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com
On Thu, 8 Nov 2007, David McCullough wrote:
> Date: Thu, 8 Nov 2007 10:29:13 +1000
> From: David McCullough <[email protected]>
> Cc: <[email protected]>, <[email protected]>
> To: Eran Ben-Avi <[email protected]>
> Subject: Re: [Openswan dev] improper initialization of ipsec_table in openswan
> 2.4.9
> The newly released 2.4.10 version has a fix for this included, but it
> only names the one field to avoid the structure alignment changes.
> Probably more a topic for the openswan dev list.
>
> I figure it needs to be more like the attached changes to 2.4.9 going forward.
> Will repost one I update to 2.4.10 (and then probably 2.5...) ;-)
The fix as attached, naming the structure items, is already in #testing (2.5.x)
Paul