From: Ray K. <ata...@gm...> - 2009-10-06 18:14:00
|
Here's the second problem I've seen as a new user. Probably more serious, as it involves a crash. Again, 0.7.3 on Arch Linux. If I bring up an ISAKMP-SA, with mode_cfg pull active, and don't immediately get quick mode started, the following bad behavior ensues. (If I do start quick mode right away, all appears to be fine.) No mode_cfg ack is ever sent to the gateway (bug #1?), so the peer re-sends the mode_cfg reply packet. racoon tries to process this packet, even though it's a duplicate of the one it just saw(bug #2?). This makes a mess of the data gathered from mode_cfg (in particular the data that comes in lists, which will now get duplicates). During the processing of that second mode_cfg reply, racoon crashes while trying to append onto the SPLIT_INCLUDE list (bug #3). It appears to be overrunning a buffer in script_env_append. I'd expect there's a chance of this happening when processing the first mode_cfg reply as well, though I've never seen it crash there. A co-worker of mine used valgrind to find the location of the memory corruption, and wrote a patch. It's a trivial change, though I haven't really looked at it to understand why it works. Here it is: --- ipsec-tools-0.7.3/src/racoon/isakmp_unity.c 2009-09-17 02:17:20.000000000 -0400 +++ ipsec-tools-0.7.3x/src/racoon/isakmp_unity.c 2009-09-17 09:56:51.000000000 -0400 @@ -364,7 +364,7 @@ int len; /* determine string length */ - len = 0; + len = 1; netentry = list; while (netentry != NULL) { The output following is from running "racoon -Fd" under gdb. It starts when racoon begins to process the second mode_cfg reply. 2009-10-06 11:43:29: DEBUG: Configuration exchange type mode config REPLY 2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_ADDRESS, len 4 2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_DNS, len 4 2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_DNS, len 4 2009-10-06 11:43:29: ERROR: Too many addresses given 2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_NBNS, len 4 2009-10-06 11:43:29: DEBUG: Attribute INTERNAL_IP4_NBNS, len 4 2009-10-06 11:43:29: ERROR: Too many addresses given 2009-10-06 11:43:29: DEBUG: Attribute UNITY_SPLIT_INCLUDE, len 140 2009-10-06 11:43:29: DEBUG: Attribute UNITY_DEF_DOMAIN, len 12 2009-10-06 11:43:29: DEBUG: Attribute APPLICATION_VERSION, len 85 2009-10-06 11:43:29: WARNING: Ignored attribute APPLICATION_VERSION 2009-10-06 11:43:29: DEBUG: Starting a script. *** glibc detected *** /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon: malloc(): memory corruption: 0x00000000010326c0 *** ======= Backtrace: ========= /lib/libc.so.6[0x7f5002e03db6] /lib/libc.so.6[0x7f5002e06a2e] /lib/libc.so.6(__libc_malloc+0x6e)[0x7f5002e087de] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x4077e6] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x44f5c6] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x407f7f] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x451ab7] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x451f8f] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x40b784] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x40ced0] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x4063a7] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x405939] /lib/libc.so.6(__libc_start_main+0xfd)[0x7f5002db19ed] /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon[0x4054d9] ======= Memory map: ======== 00400000-00482000 r-xp 00000000 08:02 526254 /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon 00681000-00684000 rw-p 00081000 08:02 526254 /home/ataraxia/junk/ipsec-tools-0.7.3/src/racoon/racoon 00684000-00689000 rw-p 00000000 00:00 0 01016000-01054000 rw-p 00000000 00:00 0 [heap] 7f4ffc000000-7f4ffc021000 rw-p 00000000 00:00 0 7f4ffc021000-7f5000000000 ---p 00000000 00:00 0 7f500250a000-7f5002520000 r-xp 00000000 08:02 1067 /usr/lib/libgcc_s.so.1 7f5002520000-7f500271f000 ---p 00016000 08:02 1067 /usr/lib/libgcc_s.so.1 7f500271f000-7f5002720000 rw-p 00015000 08:02 1067 /usr/lib/libgcc_s.so.1 7f5002720000-7f5002776000 r-xp 00000000 08:02 4242 /lib/libncursesw.so.5.7 7f5002776000-7f5002975000 ---p 00056000 08:02 4242 /lib/libncursesw.so.5.7 7f5002975000-7f500297a000 rw-p 00055000 08:02 4242 /lib/libncursesw.so.5.7 7f500297a000-7f500298f000 r-xp 00000000 08:02 7009 /usr/lib/libz.so.1.2.3.3 7f500298f000-7f5002b8e000 ---p 00015000 08:02 7009 /usr/lib/libz.so.1.2.3.3 7f5002b8e000-7f5002b8f000 rw-p 00014000 08:02 7009 /usr/lib/libz.so.1.2.3.3 7f5002b8f000-7f5002b91000 r-xp 00000000 08:02 606 /lib/libdl-2.10.1.so 7f5002b91000-7f5002d91000 ---p 00002000 08:02 606 /lib/libdl-2.10.1.so 7f5002d91000-7f5002d92000 r--p 00002000 08:02 606 /lib/libdl-2.10.1.so 7f5002d92000-7f5002d93000 rw-p 00003000 08:02 606 /lib/libdl-2.10.1.so 7f5002d93000-7f5002edc000 r-xp 00000000 08:02 581 /lib/libc-2.10.1.so 7f5002edc000-7f50030dc000 ---p 00149000 08:02 581 /lib/libc-2.10.1.so 7f50030dc000-7f50030e0000 r--p 00149000 08:02 581 /lib/libc-2.10.1.so 7f50030e0000-7f50030e1000 rw-p 0014d000 08:02 581 /lib/libc-2.10.1.so 7f50030e1000-7f50030e6000 rw-p 00000000 00:00 0 7f50030e6000-7f50030ee000 r-xp 00000000 08:02 591 /lib/libcrypt-2.10.1.so 7f50030ee000-7f50032ed000 ---p 00008000 08:02 591 /lib/libcrypt-2.10.1.so 7f50032ed000-7f50032ee000 r--p 00007000 08:02 591 /lib/libcrypt-2.10.1.so 7f50032ee000-7f50032ef000 rw-p 00008000 08:02 591 /lib/libcrypt-2.10.1.so 7f50032ef000-7f500331d000 rw-p 00000000 00:00 0 7f500331d000-7f5003357000 r-xp 00000000 08:02 6630 /lib/libreadline.so.6.0 7f5003357000-7f5003557000 ---p 0003a000 08:02 6630 /lib/libreadline.so.6.0 7f5003557000-7f500355f000 rw-p 0003a000 08:02 6630 /lib/libreadline.so.6.0 7f500355f000-7f5003560000 rw-p 00000000 00:00 0 7f5003560000-7f5003573000 r-xp 00000000 08:02 646 /lib/libresolv-2.10.1.so 7f5003573000-7f5003772000 ---p 00013000 08:02 646 /lib/libresolv-2.10.1.so 7f5003772000-7f5003773000 r--p 00012000 08:02 646 /lib/libresolv-2.10.1.so 7f5003773000-7f5003774000 rw-p 00013000 08:02 646 /lib/libresolv-2.10.1.so 7f5003774000-7f5003776000 rw-p 00000000 00:00 0 7f5003776000-7f50038dc000 r-xp 00000000 08:02 12421 /usr/lib/libcrypto.so.0.9.8 7f50038dc000-7f5003adc000 ---p 00166000 08:02 12421 /usr/lib/libcrypto.so.0.9.8 7f5003adc000-7f5003b01000 rw-p 00166000 08:02 12421 /usr/lib/libcrypto.so.0.9.8 7f5003b01000-7f5003b04000 rw-p 00000000 00:00 0 7f5003b04000-7f5003b06000 r-xp 00000000 08:02 618 /lib/libutil-2.10.1.so 7f5003b06000-7f5003d05000 ---p 00002000 08:02 618 /lib/libutil-2.10.1.so 7f5003d05000-7f5003d06000 r--p 00001000 08:02 618 /lib/libutil-2.10.1.so 7f5003d06000-7f5003d07000 rw-p 00002000 08:02 618 /lib/libutil-2.10.1.so 7f5003d07000-7f5003d24000 r-xp 00000000 08:02 595 /lib/ld-2.10.1.so 7f5003f0d000-7f5003f12000 rw-p 00000000 00:00 0 7f5003f21000-7f5003f23000 rw-p 00000000 00:00 0 7f5003f23000-7f5003f24000 r--p 0001c000 08:02 595 /lib/ld-2.10.1.so 7f5003f24000-7f5003f25000 rw-p 0001d000 08:02 595 /lib/ld-2.10.1.so 7fffe3a0c000-7fffe3a21000 rw-p 00000000 00:00 0 [stack] 7fffe3b33000-7fffe3b34000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00007f5002dc4f15 in raise () from /lib/libc.so.6 (gdb) bt #0 0x00007f5002dc4f15 in raise () from /lib/libc.so.6 #1 0x00007f5002dc6340 in abort () from /lib/libc.so.6 #2 0x00007f5002dfe92d in __libc_message () from /lib/libc.so.6 #3 0x00007f5002e03db6 in malloc_printerr () from /lib/libc.so.6 #4 0x00007f5002e06a2e in _int_malloc () from /lib/libc.so.6 #5 0x00007f5002e087de in malloc () from /lib/libc.so.6 #6 0x00000000004077e6 in script_env_append (envp=0x7fffe3a1f3a8, envc=0x7fffe3a1f3bc, name=0x468915 "SPLIT_INCLUDE", value=0x10324c0 "86.36.32.0/255.255.240.0 172.18.0.0/255.254.0.0 172.20.0.0/255.254.0.0 204.194.24.0/255.255.248.0 128.2.1.0/255.255.255.0 128.2.14.0/255.255.255.0 128.2.15.0/255.255.255.128 128.2.104.0/255.255.255.0 "...) at isakmp.c:3121 #7 0x000000000044f5c6 in isakmp_cfg_setenv (iph1=0x102ea00, envp=0x7fffe3a1f3a8, envc=0x7fffe3a1f3bc) at isakmp_cfg.c:2015 #8 0x0000000000407f7f in script_hook (iph1=0x4fe3, script=<value optimized out>) at isakmp.c:3057 #9 0x0000000000451ab7 in isakmp_cfg_reply (iph1=0x102ea00, attrpl=<value optimized out>) at isakmp_cfg.c:458 #10 0x0000000000451f8f in isakmp_cfg_r (iph1=0x102ea00, msg=<value optimized out>) at isakmp_cfg.c:249 #11 0x000000000040b784 in isakmp_main (msg=0x1032330, remote=0x7fffe3a1f5c0, local=<value optimized out>) at isakmp.c:754 #12 0x000000000040ced0 in isakmp_handler (so_isakmp=<value optimized out>) at isakmp.c:376 #13 0x00000000004063a7 in session () at session.c:219 #14 0x0000000000405939 in main (ac=2, av=<value optimized out>) at main.c:270 (gdb) up 7 #7 0x000000000044f5c6 in isakmp_cfg_setenv (iph1=0x102ea00, envp=0x7fffe3a1f3a8, envc=0x7fffe3a1f3bc) at isakmp_cfg.c:2015 2015 if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) { (gdb) l 2010 else { 2011 splitlist = addrlist; 2012 addrlist[0] = '\0'; 2013 } 2014 2015 if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) { 2016 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n"); 2017 return -1; 2018 } 2019 if (splitlist != addrlist) (gdb) down 1 #6 0x00000000004077e6 in script_env_append (envp=0x7fffe3a1f3a8, envc=0x7fffe3a1f3bc, name=0x468915 "SPLIT_INCLUDE", value=0x10324c0 "86.36.32.0/255.255.240.0 172.18.0.0/255.254.0.0 172.20.0.0/255.254.0.0 204.194.24.0/255.255.248.0 128.2.1.0/255.255.255.0 128.2.14.0/255.255.255.0 128.2.15.0/255.255.255.128 128.2.104.0/255.255.255.0 "...) at isakmp.c:3121 3121 envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1); (gdb) l 3116 { 3117 char *envitem; 3118 char **newenvp; 3119 int newenvc; 3120 3121 envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1); 3122 if (envitem == NULL) { 3123 plog(LLV_ERROR, LOCATION, NULL, 3124 "Cannot allocate memory: %s\n", strerror(errno)); 3125 return -1; (gdb) |