[Swan] Libreswan 3.29 segfault in ikev2.c ikev2_process_packet()

Alan Szlosek alan at redoxengine.com
Wed Nov 6 18:11:39 UTC 2019


Can do ....

The parent was indeed deleted.

I see this:
    #533497: received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
Then 5 seconds later the deletion:
    #533497: deleting state (STATE_PARENT_R2) aged 4.913s and sending
notification
Followed immediately by the crash:
    EXPECTATION FAILED: child state #533502 missing parent state #533497
(in get_ike_sa() at state.c:461)


On Wed, Nov 6, 2019 at 11:32 AM Andrew Cagney <andrew.cagney at gmail.com>
wrote:

> I'd start by going through the logs looking for messages that pertain
> to the IKE SA '#533497'.  Presumably it was deleted, but its child
> #533502 was somehow missed.
>
> On Wed, 6 Nov 2019 at 10:40, Alan Szlosek <alan at redoxengine.com> wrote:
> >
> > Hi libreswan,
> >
> > We're running libreswan 3.29 on Ubuntu with Linux kernel 4.15 and had a
> segfault due to a null pointer dereference in the ikev2.c code. Can you
> work with me to determine what caused it?
> >
> > We saw this in the logs just before the crash:
> >
> >     EXPECTATION FAILED: child state #533502 missing parent state #533497
> (in get_ike_sa() at state.c:461)
>
>
> > I ran gdb against the crash dump, here's the output:
> >
> > GNU gdb (Ubuntu 8.1-0ubuntu3.1) 8.1.0.20180409-git
> > Copyright (C) 2018 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.  Type "show
> copying"
> > and "show warranty" for details.
> > This GDB was configured as "x86_64-linux-gnu".
> > Type "show configuration" for configuration details.
> > For bug reporting instructions, please see:
> > <http://www.gnu.org/software/gdb/bugs/>.
> > Find the GDB manual and other documentation resources online at:
> > <http://www.gnu.org/software/gdb/documentation/>.
> > For help, type "help".
> > Type "apropos word" to search for commands related to "word"...
> > Reading symbols from /usr/lib/ipsec/pluto...Reading symbols from
> /usr/lib/debug/.build-id/07/90d482ffd48ee4a7e01a43395d54c7df1747e1.debug...done.
> > done.
> > [New LWP 4703]
> > [New LWP 4713]
> > [New LWP 4708]
> > [New LWP 4714]
> > [New LWP 4707]
> > [New LWP 4712]
> > [New LWP 4711]
> > [New LWP 4715]
> > [New LWP 4709]
> > [New LWP 4716]
> > [New LWP 4710]
> > [New LWP 4720]
> > [New LWP 4717]
> > [New LWP 4718]
> > [New LWP 4719]
> > [New LWP 4721]
> > [Thread debugging using libthread_db enabled]
> > Using host libthread_db library
> "/lib/x86_64-linux-gnu/libthread_db.so.1".
> > Core was generated by `/usr/lib/ipsec/pluto --leak-detective --config
> /etc/ipsec.conf --nofork'.
> > Program terminated with signal SIGSEGV, Segmentation fault.
> > #0  0x000055b4c756dfe5 in ikev2_process_packet (mdp=mdp at entry=0x7fffa7286f00)
> at ./programs/pluto/ikev2.c:1736
> >
> > warning: Source file is more recent than executable.
> > 1736 if (md->hdr.isa_msgid > ike->sa.st_v2_msgids.initiator.sent) {
> > [Current thread is 1 (Thread 0x7f4ad6e80900 (LWP 4703))]
> > (gdb) where
> > #0  0x000055b4c756dfe5 in ikev2_process_packet (mdp=mdp at entry=0x7fffa7286f00)
> at ./programs/pluto/ikev2.c:1736
> > #1  0x000055b4c7592428 in process_packet (mdp=mdp at entry=0x7fffa7286f00)
> at ./programs/pluto/demux.c:387
> > #2  0x000055b4c759263f in process_md (mdp=mdp at entry=0x7fffa7286f00) at
> ./programs/pluto/demux.c:442
> > #3  0x000055b4c7592ba6 in comm_handle (ifp=<optimized out>) at
> ./programs/pluto/demux.c:483
> > #4  comm_handle_cb (fd=<optimized out>, event=<optimized out>,
> arg=<optimized out>) at ./programs/pluto/demux.c:492
> > #5  0x00007f4ad49d88f8 in ?? () from
> /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6
> > #6  0x00007f4ad49d933f in event_base_loop () from
> /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6
> > #7  0x000055b4c754ece4 in call_server () at
> ./programs/pluto/server.c:1378
> > #8  0x000055b4c750c973 in main (argc=<optimized out>, argv=<optimized
> out>) at ./programs/pluto/plutomain.c:1789
> >
> > # I BELIEVE THE FOLLOWING SHOWS THAT THE ike VAR CONTAINS A NULL POINTER.
> > # And as you know, dereferencing a null pointer is one of the possible
> causes of segfaults.
> > (gdb) p md
> > $1 = (struct msg_digest *) 0x55b4c8390758
> > (gdb) p ike
> > $2 = (struct ike_sa *) 0x0
> > (gdb) p st->st_serialno
> > $6 = 533502
> >
> >
> >
> > I verified that st->st_serialno contains the expected value of 533502
> (which was mentioned in the log output).
> >
> > What else should I check?
> >
> > Thanks in advance.
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
>


-- 
Alan Szlosek
Infrastructure Engineer
redoxengine.com <https://www.redoxengine.com>

<https://www.redoxengine.com/redox-interoperability-summit-2019/?utm_medium=email&utm_source=Email%20Signature%20Banner&utm_campaign=Summit19&utm_content=banner>
[image:
https://www.redoxengine.com/redox-interoperability-summit-2019/?utm_medium=email&utm_source=Email%20Signature%20Banner&utm_campaign=Summit19&utm_content=banner]
<https://www.redoxengine.com/redox-interoperability-summit-2019/?utm_medium=email&utm_source=Email%20Signature%20Banner&utm_campaign=Summit19&utm_content=banner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191106/76ff8677/attachment-0001.html>


More information about the Swan mailing list