[Swan-dev] 3.16rc2 memory corruption in md->packet ?

Tuomo Soini tis at foobar.fi
Fri Dec 4 09:16:25 UTC 2015 

On Thu, 3 Dec 2015 22:41:03 -0500 (EST)
"D. Hugh Redelmeier" <hugh at mimosa.com> wrote:

> | From: Paul Wouters <paul at nohats.ca>
> | 
> | Tuomo reported this crasher:
> | 
> | Core was generated by `/usr/libexec/ipsec/pluto
> --config /etc/ipsec.conf | --nofork'.
> | Program terminated with signal 11, Segmentation fault.
> | #0  __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
> | 2917	  if (chunk_is_mmapped(p))                       /*
> release mmapped | memory. */
> | (gdb) bt
> | #0  __GI___libc_free (mem=0xc50cc91a47a7c9a4) at malloc.c:2917
> | #1  0x00007f1334390f42 in release_md (md=0x7f13376a38b0) at
> | /usr/src/debug/libreswan-3.16rc2/programs/pluto/msgdigest.c:107
> | #2  0x00007f1334351017 in release_fragments
> (st=st at entry=0x7f1337687010) at
> | /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:659
> 
> This is crashing in the code to delete V1 IKE fragments that might be
> still hung on the state object.  The chance of this happening when a
> timer goes of would seem low.  Unless some fragments were lost and the
> state object was hanging around to get that lost fragment.
> 
> I wonder if we've tested that case?  Probably not.
> 
> Tuomo: were you using V1 with fragmented IKE messages?
> Were you running with electric fence?

This is ikev2 only system. So if we are in ikev1 only code we have
quite clearly a bug.

There was network outage at colo at the time this crash happened. I
have log which I will now copy to vault. /var/tmp/pluto-crash-17112.log

Unfortunately I was using production build without Electric fence and
with optimization so we don't have full infos available.


> If so, this could be a reference-after-free bug.
> Of course it could be anything else too.
> 
> | #3  0x00007f1334353bcc in delete_state (st=st at entry=0x7f1337687010)
> at | /usr/src/debug/libreswan-3.16rc2/programs/pluto/state.c:883
> 
> We're deleting a particular state
> 
> | #4  0x00007f13343548d3 in delete_my_family
> (pst=pst at entry=0x7f13375b7970,
> 
> Due to some timer event, we're deleting a family of states.


-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Swan-dev mailing list