[Openswan dev] 2.4.4 doesn't fix pluto crashing on unexpected (aggressive moderequest ?!) packet

Albert Siersema appie at friendly.net
Fri Nov 18 15:28:09 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

I've compiled OpenS/WAN with these changes in Makefile.inc:
USE_AGGRESSIVE?=false
USE_XAUTH?=false

pluto crashes on receiving an unexpected packet from a peer running Sonicwall pro 3060 with sonicos enhanced
(latest OS version as far as the person I talked to could say).
There's an up & running tunnel to this device but it sends us a packet over a backup WAN line as well
(also connected to the same sonicwall). I'm not sure why it does this, I've reported it to the sonicwall
admin guy to look into. Nevertheless, the packet does crash pluto.

The debug log shows:

Nov 14 15:00:10 myhost pluto[778]: | *received 1400 bytes from a.b.c.d:500 on eth1 (port=500)
<1024 bytes hex dump snipped>
Nov 14 15:00:10 myhost pluto[778]: | **parse ISAKMP Message:
Nov 14 15:00:10 myhost pluto[778]: |    initiator cookie:
Nov 14 15:00:10 myhost pluto[778]: |   ....
Nov 14 15:00:10 myhost pluto[778]: |    responder cookie:
Nov 14 15:00:10 myhost pluto[778]: |   00 00 00 00  00 00 00 00
Nov 14 15:00:10 myhost pluto[778]: |    next payload type: ISAKMP_NEXT_SA
Nov 14 15:00:10 myhost pluto[778]: |    ISAKMP version: ISAKMP Version 1.0
Nov 14 15:00:10 myhost pluto[778]: |    exchange type: ISAKMP_XCHG_AGGR
Nov 14 15:00:10 myhost pluto[778]: |    flags: none
Nov 14 15:00:10 myhost pluto[778]: |    message ID:  00 00 00 00
Nov 14 15:00:10 myhost pluto[778]: |    length: 1400
Nov 14 15:00:10 myhost pluto[778]: |  processing packet with exchange type=ISAKMP_XCHG_AGGR (4)

pluto core dumps on:

#0  0x080782e4 in process_packet (mdp=0x80e04ec) at demux.c:2059
2059            if (smc->flags & SMF_INPUT_ENCRYPTED)

And yes:
(gdb) print smc
$1 = (const struct state_microcode *) 0x0

More info:

(gdb) l
2054        }
2055        else
2056        {
2057            /* packet was not encryped -- should it have been? */
2058
2059            if (smc->flags & SMF_INPUT_ENCRYPTED)
2060            {
2061                loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
2062                SEND_NOTIFICATION(INVALID_FLAGS);
2063                return;

(gdb) bt
#0  0x080782e4 in process_packet (mdp=0x80e04ec) at demux.c:2059
#1  0x08079650 in comm_handle (ifp=0x80f4948) at demux.c:1223
#2  0x0805e92e in call_server () at server.c:1161
#3  0x0805b58b in main (argc=3, argv=0xbfffef44) at plutomain.c:783
#4  0x40062dc6 in iconv_open () from /lib/libc.so.6

(gdb) bt full
#0  0x080782e4 in process_packet (mdp=0x80e04ec) at demux.c:2059
        md = (struct msg_digest *) 0x80f5090
        smc = (const struct state_microcode *) 0x0
        new_iv_set = 0
        st = (struct state *) 0x0
        from_state = STATE_UNDEFINED
#1  0x08079650 in comm_handle (ifp=0x80f4948) at demux.c:1223
        md = (struct msg_digest *) 0x80f5090
#2  0x0805e92e in call_server () at server.c:1161
        ifp = (struct iface_port *) 0x0
#3  0x0805b58b in main (argc=3, argv=0xbfffef44) at plutomain.c:783
        fork_desired = 0
        log_to_stderr_desired = 0
        ocspuri = 0x0
        nhelpers = -1
        coredir = 0x0
        nat_traversal = 0
        nat_t_spf = 1
        keep_alive = 0
        force_keepalive = 0
        virtual_private = 0x0
#4  0x40062dc6 in iconv_open () from /lib/libc.so.6
No symbol table info available.

(gdb) print md->hdr.isa_xchg
$2 = 4 '\004'
ennuh:
#define ISAKMP_XCHG_AGGR       4     /* Aggressive */

(gdb) print *md
$1 = {next = 0x0, raw_packet = {ptr = 0x0, len = 0}, iface = 0x80f4948, sender = {u = {v4 = {sin_family = 2, sin_port = 62465, sin_addr = {
          s_addr = 2531214673}, sin_zero = "\000\000\000\000\000\000\000"}, v6 = {sin6_family = 2, sin6_port = 62465,
        sin6_flowinfo = 2531214673, sin6_addr = {in6_u = {u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, u6_addr32 = {
              0, 0, 0, 0}}}, sin6_scope_id = 0}}}, sender_port = 500, packet_pbs = {container = 0x0, desc = 0x0, name = 0x80c08cc "packet",
    start = 0x80f8428 "?\226?G0?\025?", cur = 0x80f89a0 "woz\210?", roof = 0x80f89a0 "woz\210?", lenfld = 0x0, lenfld_desc = 0x0},
  message_pbs = {container = 0x80f50c0, desc = 0x80db4fc, name = 0x80db94e "ISAKMP Message", start = 0x80f8428 "?\226?G0?\025?",
    cur = 0x80f8444 "\004", roof = 0x80f89a0 "woz\210?", lenfld = 0x0, lenfld_desc = 0x0}, hdr = {isa_icookie = "?\226?G0?\025?",
    isa_rcookie = "\000\000\000\000\000\000\000", isa_np = 1 '\001', isa_version = 16 '\020', isa_xchg = 4 '\004', isa_flags = 0 '\0',
    isa_msgid = 0, isa_length = 1400}, encrypted = 0, from_state = STATE_UNDEFINED, smc = 0x0, st = 0x0, reply = {container = 0x0, desc = 0x0,
    name = 0x80bc499 "reply packet", start = 0x80e2540 "?L{?\234 :C??l\217\022+??\b\020\005\001p\231?X",
    cur = 0x80e2540 "?L{?\234 :C??l\217\022+??\b\020\005\001p\231?X", roof = 0x80f2540 "", lenfld = 0x0, lenfld_desc = 0x0}, rbody = {
    container = 0x0, desc = 0x0, name = 0x0, start = 0x0, cur = 0x0, roof = 0x0, lenfld = 0x0, lenfld_desc = 0x0}, note = NOTHING_WRONG,
  dpd = 0, digest = {{pbs = {container = 0x0, desc = 0x0, name = 0x0, start = 0x0, cur = 0x0, roof = 0x0, lenfld = 0x0, lenfld_desc = 0x0},
      payload = {generic = {isag_np = 0 '\0', isag_reserved = 0 '\0', isag_length = 0}, sa = {isasa_np = 0 '\0', isasa_reserved = 0 '\0',
          isasa_length = 0, isasa_doi = 0}, proposal = {isap_np = 0 '\0', isap_reserved = 0 '\0', isap_length = 0, isap_proposal = 0 '\0',
          isap_protoid = 0 '\0', isap_spisize = 0 '\0', isap_notrans = 0 '\0'}, transform = {isat_np = 0 '\0', isat_reserved = 0 '\0',
          isat_length = 0, isat_transnum = 0 '\0', isat_transid = 0 '\0', isat_reserved2 = 0}, id = {isaid_np = 0 '\0', isaid_reserved = 0 '\0',
          isaid_length = 0, isaid_idtype = 0 '\0', isaid_doi_specific_a = 0 '\0', isaid_doi_specific_b = 0}, cert = {isacert_np = 0 '\0',
          isacert_reserved = 0 '\0', isacert_length = 0, isacert_type = 0 '\0'}, cr = {isacr_np = 0 '\0', isacr_reserved = 0 '\0',
          isacr_length = 0, isacr_type = 0 '\0'}, ipsec_id = {isaiid_np = 0 '\0', isaiid_reserved = 0 '\0', isaiid_length = 0,
          isaiid_idtype = 0 '\0', isaiid_protoid = 0 '\0', isaiid_port = 0}, notification = {isan_np = 0 '\0', isan_reserved = 0 '\0',
          isan_length = 0, isan_doi = 0, isan_protoid = 0 '\0', isan_spisize = 0 '\0', isan_type = 0}, delete = {isad_np = 0 '\0',
          isad_reserved = 0 '\0', isad_length = 0, isad_doi = 0, isad_protoid = 0 '\0', isad_spisize = 0 '\0', isad_nospi = 0}, nat_oa = {
          isanoa_np = 0 '\0', isanoa_reserved_1 = 0 '\0', isanoa_length = 0, isanoa_idtype = 0 '\0', isanoa_reserved_2 = 0 '\0',
          isanoa_reserved_3 = 0}, attribute = {isama_np = 0 '\0', isama_reserved = 0 '\0', isama_length = 0, isama_type = 0 '\0',
          isama_reserved2 = 0 '\0', isama_identifier = 0}}, next = 0x0} <repeats 20 times>}, digest_roof = 0x80f5174, chain = {
    0x0 <repeats 22 times>}, quirks = {xauth_ack_msgid = 0, modecfg_pull_mode = 0, nat_traversal_vid = 0}}


As far as I can quickly glance from the code smc is initialized from ike_microcode_index[].
Apparently it's a pointer to a struct.
Variable from_state == STATE_UNDEFINED (== STATE_IKE_FLOOR it appears ?!).
(as < STATE_IKE_FLOOR would be caught by a passert).
There's no check in the code if smc is a valid pointer, or != NULL either.
But it is used in several places:

    const struct state_microcode *smc;
    /* Set smc to describe this state's properties.
    smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
      while (!LHAS(smc->flags, baseauth))
          smc++;
          passert(smc->state == from_state);
        if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
        if (smc->flags & SMF_INPUT_ENCRYPTED)
        lset_t needed = smc->req_payloads;
            = LIN(SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT, smc->flags)
                , needed | smc->opt_payloads| LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D)))
    md->smc = smc;
    if (smc->first_out_payload != ISAKMP_NEXT_NONE)
        echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
            , smc->first_out_payload);
    complete_state_transition(mdp, smc->processor(md));



I noticed there's no such thing in demux.c / process_packet() [ line 1475 in 2.4.4 ] like:

#if defined(AGGRESSIVE)
    case ISAKMP_XCHG_AGGR:
#endif

(but who knows, that might not be necessary ?!)


There don't appear to be any fixes in 2.4.4 for this issue nor did I see a reference to it in openswan mantis.
Therefore I thought it might be a good idea to post it to the proper channel (i.e. the dev list ?)
with as much info as possible. If you need more info, let me know by direct email (off-dev-list).

TIA,
Albert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDfeT5KltZixSsH2QRA9BvAJ0bXEr+4o18dtx9hgkJmQggfe9AwwCeMPYH
q1xadXl5bxRFsml6auX7wmw=
=3zHv
-----END PGP SIGNATURE-----

More information about the Dev mailing list