#43 ppp segfaults when ippool plugin is used

[michal.bruncko]

ppp segfaults when
- ippool.so plugin must be is used within ppp option file, AND
- "dump" directive is present also within ppp option file

after initiating IPSec/L2TP connection by Windows client to linux VPN server and after ppp process started by L2TP daemon, pppd crashed with following details:
pppd[31761]: segfault at 0 ip 00007ff71d770858 sp 00007fff04db57a0 error 4 in pppd[7ff71d748000+52000]
------------[ cut here ]------------
WARNING: at include/net/sock.h:472 udp_lib_unhash+0xbf/0xd0() (Tainted: G W ---------------- )
Modules linked in: pppol2tp ppp_deflate pppoe pppox ppp_async crc_ccitt authenc esp4 xfrm4_mode_transport arc4 ppp_mppe_mppc nf_conntrack_netlink nfnetlink ip_vs ppp_generic slhc deflate zlib_deflate ctr twofish_x86_64 twofish_common camellia serpent blowfish cast5 des_generic cbc cryptd aes_x86_64 aes_generic xcbc rmd160 sha256_generic tun crypto_null af_key xenfs iptable_mangle iptable_nat nf_nat xt_pkttype nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables xt_MARK ip6table_mangle xt_limit xt_policy nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack xt_multiport ip6table_filter ip6_tables ipv6 xen_netfront ext4 mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last unloaded: pppol2tp]
Pid: 31501, comm: openl2tpd Tainted: G W ---------------- 2.6.32-220.4.1.el6.mppc_saref.x86_64 #1
Call Trace:
[<ffffffff81069a17>] ? warn_slowpath_common+0x87/0xc0
[<ffffffff81069a6a>] ? warn_slowpath_null+0x1a/0x20
[<ffffffff8148a22f>] ? udp_lib_unhash+0xbf/0xd0
[<ffffffff8141e8f2>] ? sk_common_release+0x32/0xd0
[<ffffffff81488ffe>] ? udp_lib_close+0xe/0x10
[<ffffffff81493df7>] ? inet_release+0x67/0x90
[<ffffffff81418a69>] ? sock_release+0x29/0x90
[<ffffffff81418ae7>] ? sock_close+0x17/0x30
[<ffffffff81177d25>] ? __fput+0xf5/0x210
[<ffffffff81177e65>] ? fput+0x25/0x30
[<ffffffff811738ad>] ? filp_close+0x5d/0x90
[<ffffffff81173985>] ? sys_close+0xa5/0x100
[<ffffffff8100b0f2>] ? system_call_fastpath+0x16/0x1b
---[ end trace 8a3a8d1bc708fc3d ]---

Jan 18 11:49:06 vpn01 openl2tpd[19195]: checking for optionsfile
Jan 18 11:49:06 vpn01 openl2tpd[19195]: setting options=/etc/ppp/options.openl2tpd
Jan 18 11:49:06 vpn01 pppd[19195]: Plugin radius.so loaded.
Jan 18 11:49:06 vpn01 pppd[19195]: Using EAP TLS.
Jan 18 11:49:06 vpn01 pppd[19195]: RADIUS plugin initialized.
Jan 18 11:49:06 vpn01 pppd[19195]: Plugin ippool.so loaded.
Jan 18 11:49:06 vpn01 pppd[19195]: Plugin pppol2tp.so loaded.
Jan 18 11:49:06 vpn01 pppd[19195]: Plugin openl2tp.so loaded.
Jan 18 11:49:06 vpn01 pppd[19195]: pppd options in effect:
Jan 18 11:49:06 vpn01 pppd[19195]: debug # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: nodetach # (from command line)
Jan 18 11:49:06 vpn01 pppd[19195]: idle 1800 # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: dump # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: nomp # (from command line)
Jan 18 11:49:06 vpn01 pppd[19195]: plugin radius.so # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: plugin ippool.so # (from command line)
Jan 18 11:49:06 vpn01 pppd[19195]: plugin pppol2tp.so # (from command line)
Jan 18 11:49:06 vpn01 pppd[19195]: plugin openl2tp.so # (from command line)
Jan 18 11:49:06 vpn01 pppd[19195]: auth # (from command line)
Jan 18 11:49:06 vpn01 pppd[19195]: refuse-pap # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: refuse-chap # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: refuse-mschap # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: require-eap # (from /etc/ppp/options.openl2tpd)
Jan 18 11:49:06 vpn01 pppd[19195]: name openl2tp # (from /etc/ppp/options.openl2tpd)

but in general when I comment out "dump" directive, the ppp process continue to work without problems.

so this bug is not directly related to openl2tp as I can reproduce it with xl2tpd daemon.

used versions:
ppp-2.4.5
openl2tp-1.8
ippool-1.3