pluto crashes with segfault

Please have a look at issue
  http://wiki.strongswan.org/issues/116
and try the fix at
  http://wiki.strongswan.org/projects/strongswan/repository/revisions/4de8398f

I think this has been fixed upstream:

http://wiki.strongswan.org/issues/116

http://git.strongswan.org/?p=strongswan.git;a=commit;h=4de8398f

I tried to install the fix, but still get a segfault.
I'm not sure, that it's the same segfault as described in the patch, as, if I'm not mistaken, the log indicates the segfault happens in libstrongswan-x509.so

I tried to start pluto in gdb. The result is the following:

Program received signal SIGSEGV, Segmentation fault.
0x003141cc in equals (this=0x80e7188, other=0x0) at x509_cert.c:1248
1248 if (other->get_type(other) != CERT_X509)
(gdb) p other
$1 = (certificate_t *) 0x0
(gdb) bt
#0 0x003141cc in equals (this=0x80e7188, other=0x0) at x509_cert.c:1248
#1 0x0804d913 in cert_add (cert=0x80e8280) at certs.c:81
#2 0x08087888 in scx_find_cert_objects (module=<value optimized out>, init_args=0x0) at smartcard.c:595
#3 scx_find_all_cert_objects (module=<value optimized out>, init_args=0x0) at smartcard.c:673
#4 scx_init (module=<value optimized out>, init_args=0x0) at smartcard.c:740
#5 0x08081b86 in main (argc=3, argv=0xbffff7d4) at plutomain.c:679

Thanks for the backtrace. It is indeed a different bug.

From the backtrace it looks like the list of certificates somehow gets corrupted.

Could you attach the log output with "plutodebug=all" set in ipsec.conf.

I started pluto as following: /usr/lib/ipsec/pluto --nofork --stderrlog --debug-all 2> /tmp/pluto.txt
You can find the output file at: http://dl.dropbox.com/u/328576/pluto.txt

Thanks.

The cause of this segfault seems to be how pluto handles the storage of two certificates with the same ID.

From your log:

| found cert in slot: 1 with id: 46, label: 'Verschluesselungs Zertifikat 1'
...
| found cert in slot: 1 with id: 46, label: 'Telesec Verschluesselungs Zertifikat'

Could you try, if the attached patch fixes the problem.

Looking over the code, I found several other akward code that will need fixing (so this is probably not be the final fix).

Thank you. Pluto is not crashing any more. I still can't connect to the VPN, but this might be a configuration problem. I will try to solve this on myself. If you have any other patches, I should check, you can attach it to the message.

Great.

Could you try the attached patch (after reverting the previous one). This should fix the root cause of the problem.

Hi Rene,

> Is there any chance of this being exploitable other than by causing
> a DoS based on admin-created configuration?

No. As far as I can see, this only happens if multiple certificates are
stored with the same ID on one smartcard. That's the only case the
added certificate object is actually the same as one of the stored
objects. Which is a bug itself, introduced with 4.3.6, so the proper
fix for this problem is the patch I just added to the bug report (and
will push to master if it fixes the problem).

Thanks and regards,
Tobias

Thank you for the new patch.
I installed the patch (after reverting the previous one) and pluto does not crash anymore as well. An "ipsec listcards" is working as well and shows three certificates.

This bug was fixed in the package strongswan - 4.5.0-1ubuntu1

---------------
strongswan (4.5.0-1ubuntu1) natty; urgency=low

  * Merge from debian unstable (LP: #664371). Remaining changes:
    - Build depend on libnm-glib-dev instead of libnm-glib-vpn-dev to
      match the network manager package naming in Ubuntu.
 -- Angel Abad <email address hidden> Wed, 05 Jan 2011 16:37:10 +0100