[Openswan Users] Pluto restart caused by incoming packet possible DOS

Erich Titl erich.titl at think.ch
Thu Apr 30 17:53:56 EDT 2009 

Paul

Paul Wouters schrieb:
> On Thu, 30 Apr 2009, Erich Titl wrote:
> 
>> I am new at this list although I am using *swan for quite a number of
>> years extensively. Today one of my servers had a pluto restart which I
>> believe I could trace back to an incoming packet from a foreign
>> source. The log looks like
>>
>> Apr 30 08:57:27 gatekeeper-internal pluto[1143]: FATAL ERROR: packet
>> from 80.238.212.245:47156: unable to malloc 0 bytes for message buffer
>> in comm_handle()
> 
> Are you sure your server did not just leak memory and ran out of ram?
> That's
> what the error implies.

The server definitely did not run out of memory, I am running cacti
against it and the graph does not show anything alike. Also these
servers typically run 7x24 for months and years with many tunnels open
and I never saw anything alike.

> 
> There is of course the one packet crasher as listed in CVE-2009-0790,
> which is fixed in openswan 2.4.14 and 2.6.21. But the error would look
> different.
> 
>> Ah, btw. I am running 2.4.7 wich is not the latest and greatest, but
>> imposed by the appliance SW (leaf.sourceforge.net). I looked into the
>> respective code on 2.6.21 and it looked pretty much the same.
> 
> If this source is still sending you this packet, either capturing the
> full packet with tcpdump, or running with plutodebug="all crypto" would
> give us enough information to replay this attack in a test environment.

It was a one timer, hopefully not to come back any time soon. The
reverse lookup showed a Linux server on the other side. If this shows up
again, I will definitely mark him for capture. Anyway, tracing the error
back from the message appears to imply that somehow a clone_bytes
operation on a block of size 0 was attempted, this by itself appears weird.

Thanks

Erich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3396 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20090430/7b771dd2/attachment.bin

More information about the Users mailing list