#37 racoon crash/core dump when using NAT-T

0.6 branch
closed
nobody
None
5
2009-01-16
2005-09-29
Dave Huang
No

I'm trying to get an IPsec tunnel set up between a
Linux box (kernel
2.6.9-1.681_FC3, ipsec-tools 0.6.1) and a D-Link
DI-804HV (firmware
1.41). The D-Link is behind a NAT, but both it and
ipsec-tools support
NAT-T, so it should work, right?

racoon is crashing trying to dereference a null
pointer. Running
racoon -F -v under gdb gives:

2005-09-21 13:02:05: INFO: @(#)ipsec-tools 0.6.1
(http://ipsec-tools.sourceforge.net)
2005-09-21 13:02:05: INFO: @(#)This product linked
OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
2005-09-21 13:02:06: DEBUG: compression algorithm can
not be checked because sadb message doesn't support it.
2005-09-21 13:02:06: DEBUG: compression algorithm can
not be checked because sadb message doesn't support it.
2005-09-21 13:02:06: INFO: 69.15.146.2[500] used as
isakmp port (fd=8)
2005-09-21 13:02:06: INFO: 69.15.146.2[500] used for NAT-T
2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message
2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message
2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0:
10.2.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out
2005-09-21 13:02:06: DEBUG: db :0x888aba0:
10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=in
2005-09-21 13:02:06: DEBUG: get pfkey X_SPDDUMP message
2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0:
10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=fwd
2005-09-21 13:02:06: DEBUG: db :0x888aba0:
10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=in
2005-09-21 13:02:06: DEBUG: sub:0xfefed0a0:
10.1.1.0/24[0] 10.2.1.0/24[0] proto=any dir=fwd
2005-09-21 13:02:06: DEBUG: db :0x888c348:
10.2.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out
2005-09-21 13:02:08: DEBUG: ===
2005-09-21 13:02:08: DEBUG: 108 bytes message received
from 24.242.176.90[500] to 69.15.146.2[500]
2005-09-21 13:02:08: DEBUG:
7e168701 6d967aa9 00000000 00000000 01100200 00000000
0000006c 0d00003c
00000001 00000001 00000030 01010401 03000010 00000024
01010000 80010005
80020002 80030001 80040002 800b0001 000c0004 00000e10
00000014 7d9419a6
5310ca6f 2c179d92 15529d56
2005-09-21 13:02:08: DEBUG: configuration found for
24.242.176.90.
2005-09-21 13:02:08: DEBUG: ===
2005-09-21 13:02:08: INFO: respond new phase 1
negotiation: 69.15.146.2[500]<=>24.242.176.90[500]
2005-09-21 13:02:08: INFO: begin Identity Protection mode.
2005-09-21 13:02:08: DEBUG: begin.
2005-09-21 13:02:08: DEBUG: seen nptype=1(sa)
2005-09-21 13:02:08: DEBUG: seen nptype=13(vid)
2005-09-21 13:02:08: DEBUG: succeed.
2005-09-21 13:02:08: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
2005-09-21 13:02:08: DEBUG: total SA len=56
2005-09-21 13:02:08: DEBUG:
00000001 00000001 00000030 01010401 03000010 00000024
01010000 80010005
80020002 80030001 80040002 800b0001 000c0004 00000e10
2005-09-21 13:02:08: DEBUG: begin.
2005-09-21 13:02:08: DEBUG: seen nptype=2(prop)
2005-09-21 13:02:08: DEBUG: succeed.
2005-09-21 13:02:08: DEBUG: proposal #1 len=48
2005-09-21 13:02:08: WARNING: SPI size isn't zero, but
IKE proposal.
2005-09-21 13:02:08: DEBUG: begin.
2005-09-21 13:02:08: DEBUG: seen nptype=3(trns)
2005-09-21 13:02:08: DEBUG: succeed.
2005-09-21 13:02:08: DEBUG: transform #1 len=36
2005-09-21 13:02:09: DEBUG: type=Encryption Algorithm,
flag=0x8000, lorv=3DES-CBC
2005-09-21 13:02:09: DEBUG: encryption(3des)
2005-09-21 13:02:09: DEBUG: type=Hash Algorithm,
flag=0x8000, lorv=SHA
2005-09-21 13:02:09: DEBUG: hash(sha1)
2005-09-21 13:02:09: DEBUG: type=Authentication Method,
flag=0x8000, lorv=pre-shared key
2005-09-21 13:02:09: DEBUG: type=Group Description,
flag=0x8000, lorv=1024-bit MODP group
2005-09-21 13:02:09: DEBUG: hmac(modp1024)
2005-09-21 13:02:09: DEBUG: type=Life Type,
flag=0x8000, lorv=seconds
2005-09-21 13:02:09: DEBUG: type=Life Duration,
flag=0x0000, lorv=4
2005-09-21 13:02:09: DEBUG: pair 1:
2005-09-21 13:02:09: DEBUG: 0x888b820: next=(nil)
tnext=(nil)
2005-09-21 13:02:09: DEBUG: proposal #1: 1 transform
2005-09-21 13:02:09: DEBUG: prop#=1, prot-id=ISAKMP,
spi-size=4, #trns=1
2005-09-21 13:02:09: DEBUG: trns#=1, trns-id=IKE
2005-09-21 13:02:09: DEBUG: type=Encryption Algorithm,
flag=0x8000, lorv=3DES-CBC
2005-09-21 13:02:09: DEBUG: type=Hash Algorithm,
flag=0x8000, lorv=SHA
2005-09-21 13:02:09: DEBUG: type=Authentication Method,
flag=0x8000, lorv=pre-shared key
2005-09-21 13:02:09: DEBUG: type=Group Description,
flag=0x8000, lorv=1024-bit MODP group
2005-09-21 13:02:09: DEBUG: type=Life Type,
flag=0x8000, lorv=seconds
2005-09-21 13:02:09: DEBUG: type=Life Duration,
flag=0x0000, lorv=4
2005-09-21 13:02:09: DEBUG: Compared: DB:Peer
2005-09-21 13:02:09: DEBUG: (lifetime = 28800:3600)
2005-09-21 13:02:09: DEBUG: (lifebyte = 0:0)
2005-09-21 13:02:09: DEBUG: enctype = 3DES-CBC:3DES-CBC
2005-09-21 13:02:09: DEBUG: (encklen = 0:0)
2005-09-21 13:02:09: DEBUG: hashtype = SHA:SHA
2005-09-21 13:02:09: DEBUG: authmethod = pre-shared
key:pre-shared key
2005-09-21 13:02:09: DEBUG: dh_group = 1024-bit MODP
group:1024-bit MODP group
2005-09-21 13:02:09: DEBUG: an acceptable proposal found.
2005-09-21 13:02:09: DEBUG: hmac(modp1024)
2005-09-21 13:02:09: DEBUG: new cookie:
e3134e604669c155
2005-09-21 13:02:09: DEBUG: add payload of len 56, next
type 0
2005-09-21 13:02:09: DEBUG: 88 bytes from
69.15.146.2[500] to 24.242.176.90[500]
2005-09-21 13:02:09: DEBUG: sockname 69.15.146.2[500]
2005-09-21 13:02:09: DEBUG: send packet from
69.15.146.2[500]
2005-09-21 13:02:09: DEBUG: send packet to
24.242.176.90[500]
2005-09-21 13:02:09: DEBUG: src4 69.15.146.2[500]
2005-09-21 13:02:09: DEBUG: dst4 24.242.176.90[500]
2005-09-21 13:02:09: DEBUG: 1 times of 88 bytes message
will be sent to 24.242.176.90[500]
2005-09-21 13:02:09: DEBUG:
7e168701 6d967aa9 e3134e60 4669c155 01100200 00000000
00000058 0000003c
00000001 00000001 00000030 01010401 00000000 00000024
01010000 80010005
80020002 80030001 80040002 800b0001 000c0004 00000e10
2005-09-21 13:02:09: DEBUG: resend phase1 packet
7e1687016d967aa9:e3134e604669c155
2005-09-21 13:02:09: DEBUG: ===
2005-09-21 13:02:09: DEBUG: 232 bytes message received
from 24.242.176.90[500] to 69.15.146.2[500]
2005-09-21 13:02:09: DEBUG:
7e168701 6d967aa9 e3134e60 4669c155 04100200 00000000
000000e8 0a000084
5ea03af2 5d82075d 869dab65 708d75e1 a8cca76d 85bdfd18
07e74f86 6622a74a
167ac92d 1087ecbb 5bed0552 eb72287d c3770519 d9375fd3
f7dddc31 1e44928a
154ad511 e10fcb51 e53b7cb5 f76954c9 f5a894cd a23e1444
1261e9b1 21226db8
694b5102 907a8758 53b678d6 35c09010 f89154b1 db5a3e7c
94b8225a c7539f66
82000018 5c89b298 14c70bd2 a195d215 69a9003c f503adcd
82000018 84523d42
5f6e9638 a1b30b39 1a141491 7cfce516 00000018 d5f8dc8f
18619ca2 333b2400
bed8890f 36e19e6e
2005-09-21 13:02:09: DEBUG: begin.
2005-09-21 13:02:09: DEBUG: seen nptype=4(ke)
2005-09-21 13:02:09: DEBUG: seen nptype=10(nonce)
2005-09-21 13:02:09: DEBUG: seen nptype=130(nat-d)
2005-09-21 13:02:09: DEBUG: seen nptype=130(nat-d)
2005-09-21 13:02:09: DEBUG: succeed.

Program received signal SIGSEGV, Segmentation fault.
0x08052e56 in ident_r2recv (iph1=0x888c7c0, msg=0x888cb60)
at isakmp_ident.c:1066
1066 if (pa->type ==
iph1->natt_options->payload_nat_d)
(gdb) print iph1
$1 = (struct ph1handle *) 0x888c7c0
(gdb) print iph1->natt_options
$2 = (struct ph1natt_options *) 0x0
(gdb) where
#0 0x08052e56 in ident_r2recv (iph1=0x888c7c0,
msg=0x888cb60)
at isakmp_ident.c:1066
#1 0x0804eb47 in isakmp_main (msg=0x888cb60,
remote=0xfefed180,
local=0xfefed100) at isakmp.c:754
#2 0x0804fc27 in isakmp_handler (so_isakmp=8) at
isakmp.c:359
#3 0x0804befe in session () at session.c:178
#4 0x0804b93f in main (ac=0, av=0xfefed454) at main.c:266

Discussion

  • Hugo Mildenberger

    Logged In: YES
    user_id=1745718
    Originator: NO

    See my comment #1385632. racoon mallocs are messy.

     
  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
     
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks