[Openswan Users] Pluto restart caused by incoming packet possible DOS

Erich Titl erich.titl at think.ch
Sat May 2 18:32:44 EDT 2009 

Paul

Paul Wouters schrieb:
> On Thu, 30 Apr 2009, Erich Titl wrote:
> 
>>>> Apr 30 08:57:27 gatekeeper-internal pluto[1143]: FATAL ERROR: packet
>>>> from 80.238.212.245:47156: unable to malloc 0 bytes for message buffer
>>>> in comm_handle()
>>>
>>> Are you sure your server did not just leak memory and ran out of ram?
>>> That's
>>> what the error implies.
>>
>> The server definitely did not run out of memory, I am running cacti
>> against it and the graph does not show anything alike. Also these
>> servers typically run 7x24 for months and years with many tunnels open
>> and I never saw anything alike.
> 
> Well, check the code...
> 
> void
> comm_handle(const struct iface_port *ifp)
> {
>     static struct msg_digest *md;
> 
>     md = alloc_md();
> 
> Note that nothing of the packet is actually used here, and you crashed.
> You did not crash on a malicious packet, you crashed do to an internal
> problem.

Of course I do not have your deep insight to pluto's operation, but
pluto did not crash, it stopped gracefully on an allocation of 0 bytes.

Looking at the code I _believe_ it must be due to the following, which
is way past alloc_md

    /* Clone actual message contents
     * and set up md->packet_pbs to describe it.
     */
    init_pbs(&md->packet_pbs
#ifdef NAT_TRAVERSAL
        , clone_bytes(_buffer, packet_len, "message buffer in
comm_handle()")
#else
        , clone_bytes(bigbuffer, packet_len, "message buffer in
comm_handle()")
#endif
        , packet_len, "packet");

because the error message is exactly this one. Now packet_len is 0 in
this case, so no copying can be done anyway.

Looking that the packet_len is determined at

    zero(&from.sa);
    packet_len = recvfromto(ifp->fd, bigbuffer
                            , sizeof(bigbuffer), /*flags*/0
                            , &from.sa, &from_len
                            , &to.sa, &to_len);

and is not modified until to some code in the NAT_TRAVERSAL stuff

recvfromto returns either the return from recvmsg or from revcfrom. If I
understand the manual correctly, this should not occur on UDP

       These calls return the number of bytes received, or -1 if an
error  occurred.  The  return
       value will be 0 when the peer has performed an orderly shutdown.

Anyway, the value of 0 appears not to be checked and is passed to
clone_bytes.

> 
> But without a core file or other data, there is not much to post mortem
> on.

I understand and will of course give details should I ever get them.

Thanks

Erich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3396 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20090503/7ed8f587/attachment.bin

More information about the Users mailing list