[Swan] Libreswan 3.29 segfault in ikev2.c ikev2_process_packet()

Alan Szlosek alan at redoxengine.com
Wed Nov 6 15:39:46 UTC 2019

Hi libreswan,

We're running libreswan 3.29 on Ubuntu with Linux kernel 4.15 and had a
segfault due to a null pointer dereference in the ikev2.c code. Can you
work with me to determine what caused it?

We saw this in the logs just before the crash:

    EXPECTATION FAILED: child state #533502 missing parent state #533497
(in get_ike_sa() at state.c:461)

I ran gdb against the crash dump, here's the output:

GNU gdb (Ubuntu 8.1-0ubuntu3.1)
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/ipsec/pluto...Reading symbols from
[New LWP 4703]
[New LWP 4713]
[New LWP 4708]
[New LWP 4714]
[New LWP 4707]
[New LWP 4712]
[New LWP 4711]
[New LWP 4715]
[New LWP 4709]
[New LWP 4716]
[New LWP 4710]
[New LWP 4720]
[New LWP 4717]
[New LWP 4718]
[New LWP 4719]
[New LWP 4721]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/lib/ipsec/pluto --leak-detective --config
/etc/ipsec.conf --nofork'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055b4c756dfe5 in ikev2_process_packet (mdp=mdp at entry=0x7fffa7286f00)
at ./programs/pluto/ikev2.c:1736

warning: Source file is more recent than executable.
1736 if (md->hdr.isa_msgid > ike->sa.st_v2_msgids.initiator.sent) {
[Current thread is 1 (Thread 0x7f4ad6e80900 (LWP 4703))]
(gdb) where
#0  0x000055b4c756dfe5 in ikev2_process_packet (mdp=mdp at entry=0x7fffa7286f00)
at ./programs/pluto/ikev2.c:1736
#1  0x000055b4c7592428 in process_packet (mdp=mdp at entry=0x7fffa7286f00) at
#2  0x000055b4c759263f in process_md (mdp=mdp at entry=0x7fffa7286f00) at
#3  0x000055b4c7592ba6 in comm_handle (ifp=<optimized out>) at
#4  comm_handle_cb (fd=<optimized out>, event=<optimized out>,
arg=<optimized out>) at ./programs/pluto/demux.c:492
#5  0x00007f4ad49d88f8 in ?? () from
#6  0x00007f4ad49d933f in event_base_loop () from
#7  0x000055b4c754ece4 in call_server () at ./programs/pluto/server.c:1378
#8  0x000055b4c750c973 in main (argc=<optimized out>, argv=<optimized out>)
at ./programs/pluto/plutomain.c:1789

# And as you know, dereferencing a null pointer is one of the possible
causes of segfaults.
(gdb) p md
$1 = (struct msg_digest *) 0x55b4c8390758
(gdb) p ike
$2 = (struct ike_sa *) 0x0
(gdb) p st->st_serialno
$6 = 533502

I verified that st->st_serialno contains the expected value of 533502
(which was mentioned in the log output).

What else should I check?

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191106/a41691ff/attachment.html>

More information about the Swan mailing list