[Swan-dev] 3.16rc2 memory corruption in md->packet ?
D. Hugh Redelmeier
hugh at mimosa.com
Fri Dec 4 03:41:03 UTC 2015
| From: Paul Wouters <paul at nohats.ca>
|
| Tuomo reported this crasher:
|
| Core was generated by `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf
| --nofork'.
| Program terminated with signal 11, Segmentation fault.
| #0 __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
| 2917 if (chunk_is_mmapped(p)) /* release mmapped
| memory. */
| (gdb) bt
| #0 __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
| #1 0x00007f1334390f42 in release_md (md=0x7f13376a38b0) at
| /usr/src/debug/libreswan-3.16rc2/programs/pluto/msgdigest.c:107
| #2 0x00007f1334351017 in release_fragments (st=st at entry=0x7f1337687010) at
| /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:659
This is crashing in the code to delete V1 IKE fragments that might be
still hung on the state object. The chance of this happening when a
timer goes of would seem low. Unless some fragments were lost and the
state object was hanging around to get that lost fragment.
I wonder if we've tested that case? Probably not.
Tuomo: were you using V1 with fragmented IKE messages?
Were you running with electric fence?
If so, this could be a reference-after-free bug.
Of course it could be anything else too.
| #3 0x00007f1334353bcc in delete_state (st=st at entry=0x7f1337687010) at
| /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:883
We're deleting a particular state
| #4 0x00007f13343548d3 in delete_my_family (pst=pst at entry=0x7f13375b7970,
Due to some timer event, we're deleting a family of states.
More information about the Swan-dev
mailing list