[Openswan dev] [PATCH] Safety check to send_packet() in server.c to prevent segfault.

Michael H. Warfield mhw at WittsEnd.com
Sat Mar 13 10:53:39 EST 2010 

Hey all!

I seem to have managed to find a way to confuse pluto just by "auto --up
conn" followed later by "auto --down conn" followed later by "auto --up
conn" again.  At that point, orient() is confused and claims that both
ends are on our interface and pluto then segfaults in send_packet() in
server.c when it tries to dereference a NULL pointer for the interface
that was NULLed but orient().

There are obviously 3 problems here.

1) orient() is confused.  The internal spd database seems to be in a bad
unrecoverable state and orient() can't figure out which end is up.

2) The connection attempt is allowed to continue even after orient()
fails.

3) send_packet() doesn't check if the interface is NULL before trying to
dereference it and segfaults.

This patch addresses point number 3 and only point number 3.  It adds a
safety check to send_packet to make sure the interface is not NULL and
fails if it is.  No more segfault.

What then happens is that the connection errors but continues to retry
as if it had timed out, retrying in 20s and then 40s, etc, etc.  Ok...
That recurses back to problem #2.  But if this can happen in this one
case, there's always the possibility of another somewhere so this safety
should be needed even after fixing the other two, so this one goes
first.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-2.6.24-send-packet-safety.diff
Type: text/x-patch
Size: 800 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20100313/51b6b8f5/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20100313/51b6b8f5/attachment-0001.bin

More information about the Dev mailing list