[Swan] Memory Leak / LibreSwan instability
Paul Wouters
paul at nohats.ca
Thu Aug 23 16:55:27 UTC 2018
On Mon, 20 Aug 2018, Madden, Joe wrote:
> Sorry, the logs seems to have gone a bit nuts in the email below, I'd added it to paste in for you.
>
> https://pastebin.com/raw/Y1ZCFcQk
You seem to have (too) many instances of the same connection trying and
failing. eg: ssl-iptrafficsig-1-subnet-[12]. There should not be more
then one of those. The error path seems to be the cause of the leak
as well, eg:
Aug 20 08:27:35 hal-internal-firewall pluto[23477]: leak: 177 * msg_digest, item size: 4152
Aug 20 08:27:29 hal-internal-firewall pluto[23477]: leak: 15 * saved received dcookie, item size: 24
Seeing that you got a dcookie, the other end seems to think its load is
too high or you are an attacker. So it wants you to do the additional
proof of source ip by sending you a dcookie.
Do you ever see an established connection? I think the dcookies on their
end and the misconfiguration that is likely the problem causing retries
is whats ultimate ending up in the libreswan failure path code, which
seems to additionally cause these leaks. So while we need to fix these
leaks, you need to fix your configuration with the remote peer.
Paul
More information about the Swan
mailing list