[Swan] Crash with Libreswan 3.11

Roel van Meer roel at 1afa.com
Tue Nov 4 12:21:18 EET 2014 

Roel van Meer writes:

> I've tried several versions of Libreswan (3.8, 3.9, 3.11) and two versions  
> of mozilla-nss (3.13.5, 3.16.5), but the crash is seen in all combinations.

I've now also tried with nss-3.17.2, but that has the same result.

Together with a colleague I added some null pointer checks to nss (see the  
attached patch). When we do that, the crash disappears as such, but now we  
hit a failed assert:

pluto[22944]: "conn" #26: ASSERTION FAILED at /tmp/tmp.pCVGT6/libreswan-3.11/programs/pluto/crypt_dh.c:706: tkey19 != NULL
pluto[22944]: "conn" #26: ABORT at /tmp/tmp.pCVGT6/libreswan-3.11/programs/pluto/crypt_dh.c:706
pluto[22944]: "conn" #26: ABORT at /tmp/tmp.pCVGT6/libreswan-3.11/programs/pluto/crypt_dh.c:706
ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)

and on the next run:

pluto[23830]: "conn" #45: ASSERTION FAILED at /tmp/tmp.pCVGT6/libreswan-3.11/programs/pluto/crypt_dh.c:877: tkey37 != NULL
pluto[23830]: "conn" #45: ABORT at /tmp/tmp.pCVGT6/libreswan-3.11/programs/pluto/crypt_dh.c:877
pluto[23830]: "conn" #45: ABORT at /tmp/tmp.pCVGT6/libreswan-3.11/programs/pluto/crypt_dh.c:877
ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)

After that, our maintenance window ran out, so we could do no more tests.

I hope this is useful. Please let me know if I can provide any  
more information, or if there is anything I should test.

Thanks,

Roel
-------------- next part --------------
diff -ruN a/nss/lib/pk11wrap/pk11skey.c b/nss/lib/pk11wrap/pk11skey.c
--- a/nss/lib/pk11wrap/pk11skey.c	2014-10-10 18:56:55.000000000 +0200
+++ b/nss/lib/pk11wrap/pk11skey.c	2014-11-04 10:42:30.426403959 +0100
@@ -20,13 +20,13 @@
 
 static void
 pk11_EnterKeyMonitor(PK11SymKey *symKey) {
-    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+    if ((symKey->slot) && (!symKey->sessionOwner || !(symKey->slot->isThreadSafe))) 
 	PK11_EnterSlotMonitor(symKey->slot);
 }
 
 static void
 pk11_ExitKeyMonitor(PK11SymKey *symKey) {
-    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+    if ((symKey->slot) && (!symKey->sessionOwner || !(symKey->slot->isThreadSafe))) 
     	PK11_ExitSlotMonitor(symKey->slot);
 }
 
@@ -1489,7 +1489,7 @@
     PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
 
     /* move the key to a slot that can do the function */
-    if (!PK11_DoesMechanism(slot,derive)) {
+    if (slot == NULL || !PK11_DoesMechanism(slot,derive)) {
 	/* get a new base key & slot */
 	PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);
 
diff -ruN a/nss/lib/pk11wrap/pk11slot.c b/nss/lib/pk11wrap/pk11slot.c
--- a/nss/lib/pk11wrap/pk11slot.c	2014-10-10 18:56:55.000000000 +0200
+++ b/nss/lib/pk11wrap/pk11slot.c	2014-11-04 10:50:41.415893864 +0100
@@ -1815,6 +1815,10 @@
 {
     int i;
 
+    if (slot == NULL) {
+	return PR_FALSE;
+    }
+
     /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
      * tell us we're looking form someone that has implemented get
      * random bits */

More information about the Swan mailing list