[Openswan dev] LEAK_DETECTIVE hits passert()
D. Hugh Redelmeier
hugh at mimosa.com
Wed Dec 1 02:03:11 EST 2010
| From: Paul Wouters <paul at xelerance.com>
| With -lefence, I seem to be getting core dumps quickly. They all look like
| this:
The next thing uncovered by -lefence was (from IRC):
Program terminated with signal 11, Segmentation fault.
#0 quick_inI1_outR1_cryptocontinue1 (pcrc=0xb7b5afb0, r=0xbf7ec1b4, ugh=0x0)
at /root/openswan-2.6.32rc2/programs/pluto/ikev1_quick.c:2043
2043 if(dh->md != NULL) {
#0 quick_inI1_outR1_cryptocontinue1 (pcrc=0xb7b5afb0, r=0xbf7ec1b4, ugh=0x0)
at /root/openswan-2.6.32rc2/programs/pluto/ikev1_quick.c:2043
#1 0x0809097e in send_crypto_helper_request (r=0xbf7ec1b4, cn=0xb7b5afb0,
toomuch=0xbf7ecc20)
at /root/openswan-2.6.32rc2/programs/pluto/pluto_crypt.c:416
#2 0x080915c3 in build_ke (cn=0xb7b5afb0, st=0xb7b28a8c, group=0x80ee078,
importance=pcim_ongoing_crypto)
at /root/openswan-2.6.32rc2/programs/pluto/crypt_ke.c:211
#3 0x080704a4 in quick_inI1_outR1_authtail (b=0xbf7ed978,
ac=<value optimized out>)
The trouble is that in quick_inI1_outR1_cryptocontinue1, the reference
to *dh comes after it is freed by the call to start_dh_secret a few
lines earlier.
Note: this case is STF_INLINE.
start_dh_secret calls send_crypto_helper_request.
send_crypto_helper_request decides to do the requrest itself. In line
421 it pfree's the continuation.
So dh is freed before quick_inI1_outR1_cryptocontinue1 trys to use it
in line 2043.
Since I don't really understand the logic, I cannot suggest the right
fix.
MCR?
More information about the Dev
mailing list