Project

General

Profile

Actions
Copy link

Bug #11446

closed

Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses

Added by Jim Pingle 7 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
2.5.1
Start date:
02/18/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

Adding an IPv4-mapped IPv6 address as a mobile IPsec DNS server on vpn_ipsec_mobile.php (ex: fd00::1.2.3.4) causes strongSwan to fail to load the configuration:

: grep dns /var/etc/ipsec/swanctl.conf
    dns = 10.6.0.1,198.51.100.1,8.8.8.8,fd00::1.2.3.4

: swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1
loaded certificate from '/var/etc/ipsec/x509/cert-3.crt'
loaded certificate from '/var/etc/ipsec/x509/cert-6.crt'
loaded certificate from '/var/etc/ipsec/x509ca/6c0118d9.0'
loaded certificate from '/var/etc/ipsec/x509ca/8d33f237.0'
loaded certificate from '/var/etc/ipsec/x509ca/b3b66f4e.0'
loaded certificate from '/var/etc/ipsec/x509crl/6000aa83711ba.crl'
loaded certificate from '/var/etc/ipsec/x509crl/5dc46362b276b.crl'
loaded certificate from '/var/etc/ipsec/x509crl/5e13900ddfcba.crl'
loaded certificate from '/var/etc/ipsec/x509crl/5dc481d149c58.crl'
loaded certificate from '/var/etc/ipsec/x509crl/5ddbf2404b7a4.crl'
loaded certificate from '/var/etc/ipsec/x509crl/59cd3ea6e0046.crl'
loaded ECDSA key from '/var/etc/ipsec/private/cert-6.key'
loaded RSA key from '/var/etc/ipsec/private/cert-3.key'
loaded ike secret 'ike-0'
loaded ike secret 'ike-2'
loaded ike secret 'ike-4'
loaded eap secret 'eap-5'
loaded eap secret 'eap-6'
no authorities found, 0 unloaded
loading pool 'mobile-pool-v4' failed: invalid attribute value for dns
loading pool 'mobile-pool-v6' failed: invalid attribute value for dns
loaded pool 'mobile-userpool-1'
loaded pool 'mobile-userpool-2'
loaded 2 of 4 pools, 2 failed to load, 0 unloaded

Removing fd00::1.2.3.4 and replacing it with an IPv6 address or another IPv4 address allows it to function normally.

Input validation should reject this since strongSwan won't parse it, and it should also be skipped in the backend to make sure an existing broken configuration won't prevent other parts from loading.

Actions
Copy link
 #2

Updated by Jim Pingle 7 months ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #3

Updated by Jim Pingle 7 months ago

  • Target version changed from CE-Next to 2.5.1
Actions
Copy link
 #4

Updated by Jim Pingle 7 months ago

  • Subject changed from Mobile IPsec DNS server input validation does not reject IPv4-mapped IPv6 addresses to Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses

Updating subject for release notes.

Actions
Copy link
 #5

Updated by Renato Botelho 6 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

Merged and cherry-picked to 2.5.1

Actions
Copy link
 #6

Updated by Viktor Gurov 6 months ago

  • % Done changed from 0 to 100
Actions
Copy link
 #7

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Closed
Actions
Copy link

Also available in: Atom PDF