[Swan-dev] 3.16rc2 memory corruption in md->packet ?

Paul Wouters paul at nohats.ca
Thu Dec 3 16:49:01 UTC 2015 

Tuomo reported this crasher:

Core was generated by `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf
--nofork'.
Program terminated with signal 11, Segmentation fault.
#0  __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
2917	  if (chunk_is_mmapped(p))                       /* release mmapped memory. */
(gdb) bt
#0  __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
#1  0x00007f1334390f42 in release_md (md=0x7f13376a38b0) at /usr/src/debug/libreswan-3.16rc2/programs/pluto/msgdigest.c:107
#2  0x00007f1334351017 in release_fragments (st=st at entry=0x7f1337687010) at /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:659
#3  0x00007f1334353bcc in delete_state (st=st at entry=0x7f1337687010) at /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:883
#4  0x00007f13343548d3 in delete_my_family (pst=pst at entry=0x7f13375b7970, v2_responder_state=v2_responder_state at entry=0)
     at /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:2218
#5  0x00007f13343591a1 in timer_event_cb (fd=<optimized out>, event=<optimized out>, arg=0x7f1337106550) at /usr/src/debug/libreswan-3.16rc2/programs/pluto/timer.c:740
#6  0x00007f1332a16a14 in event_process_active_single_queue (activeq=0x7f13365e1cd0, base=0x7f13365e3d10) at event.c:1350
#7  event_process_active (base=<optimized out>) at event.c:1420
#8  event_base_loop (base=0x7f13365e3d10, flags=flags at entry=0) at event.c:1621
#9  0x00007f133435725a in main_loop () at /usr/src/debug/libreswan-3.16rc2/programs/pluto/server.c:616
#10 call_server () at /usr/src/debug/libreswan-3.16rc2/programs/pluto/server.c:719
#11 0x00007f133433f5ca in main (argc=<optimized out>, argv=<optimized out>) at
/usr/src/debug/libreswan-3.16rc2/programs/pluto/plutomain.c:1602
(gdb) f 0
#0  __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
2917	  if (chunk_is_mmapped(p))                       /* release mmapped memory. */
(gdb) f 1
#1  0x00007f1334390f42 in release_md (md=0x7f13376a38b0) at /usr/src/debug/libreswan-3.16rc2/programs/pluto/msgdigest.c:107
107		freeanychunk(md->raw_packet);
(gdb) p md
$1 = (struct msg_digest *) 0x7f13376a38b0
(gdb) p md->raw_packet
$2 = {ptr = 0xc50cc91a47a7c9a4 <Address 0xc50cc91a47a7c9a4 out of bounds>, len = 72057594577100853}
(gdb)

My guess would be that perhaps we overwrite our own structures? Any
other theories? Should Tuomo try running with valgrind or
--leak-detective?

Paul

More information about the Swan-dev mailing list