[Openswan dev] LEAK_DETECTIVE hits passert()

D. Hugh Redelmeier hugh at mimosa.com
Wed Dec 1 02:03:11 EST 2010

| From: Paul Wouters <paul at xelerance.com>

| With -lefence, I seem to be getting core dumps quickly. They all look like
| this:

The next thing uncovered by -lefence was (from IRC):

 Program terminated with signal 11, Segmentation fault.
 #0  quick_inI1_outR1_cryptocontinue1 (pcrc=0xb7b5afb0, r=0xbf7ec1b4, ugh=0x0)
     at /root/openswan-2.6.32rc2/programs/pluto/ikev1_quick.c:2043
 2043      if(dh->md != NULL) {
 #0  quick_inI1_outR1_cryptocontinue1 (pcrc=0xb7b5afb0, r=0xbf7ec1b4, ugh=0x0)
     at /root/openswan-2.6.32rc2/programs/pluto/ikev1_quick.c:2043
 #1  0x0809097e in send_crypto_helper_request (r=0xbf7ec1b4, cn=0xb7b5afb0, 
     at /root/openswan-2.6.32rc2/programs/pluto/pluto_crypt.c:416
 #2  0x080915c3 in build_ke (cn=0xb7b5afb0, st=0xb7b28a8c, group=0x80ee078, 
     at /root/openswan-2.6.32rc2/programs/pluto/crypt_ke.c:211
 #3  0x080704a4 in quick_inI1_outR1_authtail (b=0xbf7ed978, 
     ac=<value optimized out>)

The trouble is that in quick_inI1_outR1_cryptocontinue1, the reference
to *dh comes after it is freed by the call to start_dh_secret a few
lines earlier.

Note: this case is STF_INLINE.

start_dh_secret calls send_crypto_helper_request.

send_crypto_helper_request decides to do the requrest itself.  In line
421 it pfree's the continuation.

So dh is freed before quick_inI1_outR1_cryptocontinue1 trys to use it
in line 2043.

Since I don't really understand the logic, I cannot suggest the right


More information about the Dev mailing list