[Swan-dev] IKEv1 xauth core dump from freeanychunk() fix

Andrew Cagney andrew.cagney at gmail.com
Fri May 25 15:47:05 UTC 2018

My fix to freeanychunk() - remember to clear .len - triggered a core
dump: http://testing.libreswan.org/results/v3.22-1470-gc793691-master/xauth-pluto-19/OUTPUT/

Since my fix was to apply a second bandaid, here are my notes:

     gets XAUTH request
     sends back XAUTH response; and also sets up re-transmits for #1
     mumble something about IKEv1 XAUTH design flaw
     sends a child/quick sa request
     gets back a child/quick response
     re-transmit timer goes off so it re-sends #1's XAUTH response

I suspect the re-transmit should be cancelled when the quick response
comes back, or even don't re-transmit.

    sends XAUTH request
    gets back XAUTH response; saves packet in #1 .st_rpacket aka last
packet received
    (I suspect, at this point st_tpacket gets cleared, but since it is
the initiator clearing it is meaningless)
    gets child/quick sa request
    #1 gets magically morphed from
STATE_MODE_CFG_R2(established-authenticated-ike) =>
STATE_MAIN_R3(established-authenticated-ike) (magic) as in:
            if (st->st_state == STATE_MODE_CFG_R2) {
                /* ISAKMP is up... */
                change_state(st, STATE_MAIN_R3);
    sets up child and responds
    gets the re-transmit and, since both #1's last packet received
matches and STATE_MAIN_R3 has retransmit flag set, it tries to do just
    but since #1's .st_tpacket is empty things barf

I suspect st_rpacket should be deleted when morphing #1?


More information about the Swan-dev mailing list