[Swan-dev] IKEv1 xauth core dump from freeanychunk() fix
Andrew Cagney
andrew.cagney at gmail.com
Fri May 25 15:47:05 UTC 2018
My fix to freeanychunk() - remember to clear .len - triggered a core
dump: http://testing.libreswan.org/results/v3.22-1470-gc793691-master/xauth-pluto-19/OUTPUT/
Since my fix was to apply a second bandaid, here are my notes:
initiator:
gets XAUTH request
sends back XAUTH response; and also sets up re-transmits for #1
mumble something about IKEv1 XAUTH design flaw
...
sends a child/quick sa request
gets back a child/quick response
...
re-transmit timer goes off so it re-sends #1's XAUTH response
I suspect the re-transmit should be cancelled when the quick response
comes back, or even don't re-transmit.
responder:
sends XAUTH request
gets back XAUTH response; saves packet in #1 .st_rpacket aka last
packet received
(I suspect, at this point st_tpacket gets cleared, but since it is
the initiator clearing it is meaningless)
...
gets child/quick sa request
#1 gets magically morphed from
STATE_MODE_CFG_R2(established-authenticated-ike) =>
STATE_MAIN_R3(established-authenticated-ike) (magic) as in:
if (st->st_state == STATE_MODE_CFG_R2) {
/* ISAKMP is up... */
change_state(st, STATE_MAIN_R3);
}
sets up child and responds
...
gets the re-transmit and, since both #1's last packet received
matches and STATE_MAIN_R3 has retransmit flag set, it tries to do just
that
but since #1's .st_tpacket is empty things barf
I suspect st_rpacket should be deleted when morphing #1?
Andrew
More information about the Swan-dev
mailing list