[Swan-dev] 3.16rc2 memory corruption in md->packet ?

Fri Dec 4 03:41:03 UTC 2015

| From: Paul Wouters <paul at nohats.ca>
| 
| Tuomo reported this crasher:
| 
| Core was generated by `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf
| --nofork'.
| Program terminated with signal 11, Segmentation fault.
| #0  __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
| 2917	  if (chunk_is_mmapped(p))                       /* release mmapped
| memory. */
| (gdb) bt
| #0  __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
| #1  0x00007f1334390f42 in release_md (md=0x7f13376a38b0) at
| /usr/src/debug/libreswan-3.16rc2/programs/pluto/msgdigest.c:107
| #2  0x00007f1334351017 in release_fragments (st=st at entry=0x7f1337687010) at
| /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:659

This is crashing in the code to delete V1 IKE fragments that might be
still hung on the state object.  The chance of this happening when a
timer goes of would seem low.  Unless some fragments were lost and the
state object was hanging around to get that lost fragment.

I wonder if we've tested that case?  Probably not.

Tuomo: were you using V1 with fragmented IKE messages?
Were you running with electric fence?

If so, this could be a reference-after-free bug.
Of course it could be anything else too.

| #3  0x00007f1334353bcc in delete_state (st=st at entry=0x7f1337687010) at
| /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:883

We're deleting a particular state

| #4  0x00007f13343548d3 in delete_my_family (pst=pst at entry=0x7f13375b7970,

Due to some timer event, we're deleting a family of states.