[Openswan Users] Pluto restart caused by incoming packet possible DOS

Paul Wouters paul at xelerance.com
Thu Apr 30 11:39:53 EDT 2009


On Thu, 30 Apr 2009, Erich Titl wrote:

> I am new at this list although I am using *swan for quite a number of years 
> extensively. Today one of my servers had a pluto restart which I believe I 
> could trace back to an incoming packet from a foreign source. The log looks 
> like
>
> Apr 30 08:57:27 gatekeeper-internal pluto[1143]: FATAL ERROR: packet from 
> 80.238.212.245:47156: unable to malloc 0 bytes for message buffer in 
> comm_handle()

Are you sure your server did not just leak memory and ran out of ram? That's
what the error implies.

There is of course the one packet crasher as listed in CVE-2009-0790,
which is fixed in openswan 2.4.14 and 2.6.21. But the error would look
different.

> Ah, btw. I am running 2.4.7 wich is not the latest and greatest, but imposed 
> by the appliance SW (leaf.sourceforge.net). I looked into the respective code 
> on 2.6.21 and it looked pretty much the same.

If this source is still sending you this packet, either capturing the
full packet with tcpdump, or running with plutodebug="all crypto" would
give us enough information to replay this attack in a test environment.

Paul


More information about the Users mailing list