VRRP AH auth_type broken in 1.2.7
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keepalived (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
A bug in keepalived 1.2.7 causes VRRP peers to ignore each other's VRRP packets leading to a "multi-master" situation. The logs show the following:
Aug 13 11:30:53 lb04 Keepalived_
Aug 13 11:30:53 lb04 Keepalived_
Aug 13 11:30:54 lb04 Keepalived_
Aug 13 11:30:54 lb04 Keepalived_
Aug 13 11:30:54 lb04 Keepalived_
Aug 13 11:30:55 lb04 Keepalived_
From 1.2.8 changelog:
* Ryan O'Hara fixed pointer arithmetic for VRRP packet.
When using IPSEC AH authentication, the pointer arithmetic used
to get the location of the VRRP packet is incorrect. The address
of the IPSEC header must be cast as (char *) in order to get
correct address of the VRRP packet. Without this patch,
IPSEC AH is enabled.
Please either update the package or backport the fix. The fix involves updating a single line in vrrp.c:
--- keepalived-
+++ keepalived-
@@ -238,7 +238,7 @@
if (vrrp->auth_type == VRRP_AUTH_AH) {
- hd = (vrrp_pkt *) (ah + vrrp_ipsecah_
+ hd = (vrrp_pkt *) ((char *) ah + vrrp_ipsecah_
} else {
}
Attached is a patch (keepalived_
OS: Ubuntu 14.04 LTS
Package: keepalived 1:1.2.7-1ubuntu1
The attachment "keepalived_ debian_ ah.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]