Re: iked's ikev2 segfaults during connection initiation from strongswan

Reyk Floeter Wed, 25 Sep 2013 12:59:54 -0700

Hi,


On 25.09.2013, at 15:23, LEVAI Daniel <l...@ecentrum.hu> wrote:

> On sze, szept 25, 2013 at 14:57:13 +0200, Mike Belopuhov wrote:
>> On 25 September 2013 14:41, LEVAI Daniel <l...@ecentrum.hu> wrote:
>>> Hi!
>>> 
>>> I'm trying to setup StrongSwan (oh, the pain...) to iked(8) IPsec.  When
>>> trying to bring up the connection from the Linux end (ipsec up
>>> <connection>), the iked(8) at the OpenBSD (5.3-stable) endpoint
>>> segfaults. I'm trying to use certs and public keys for authentication
>>> for this host-to-host ESP tunnel connection.
>>> For the life of me I can not get a coredump from the ikev2 program, but
>>> attaching gdb to its PID won't give me a bt either because it can't seem
>>> to load the symbol table. I've recompiled iked from sources with
>>> CFLAGS=-g and without stripping, but still, no luck.
>>> 
>> 
>> use "CFLAGS=-g -DDEBUG" to disable chroot and generate a core dump.
> 
> Thanks! Here is gdb's output:
> 
> # gdb /sbin/iked iked.core
> GNU gdb 6.3
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-unknown-openbsd5.3"...
> Core was generated by `iked'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at 
> /usr/src/sbin/iked/ikev2_msg.c:296
> 296           m->msg_exchange = hdr->ike_exchange;

this shouldn't fail, it sounds like memory corruption somewhere else.

but can you also print *m and *hdr in gdb?

Reyk

> (gdb) list
> 291
> 292             if ((m = ikev2_msg_copy(env, msg)) == NULL) {
> 293                     log_debug("%s: failed to copy a message", __func__);
> 294                     return (-1);
> 295             }
> 296             m->msg_exchange = hdr->ike_exchange;
> 297
> 298             if (hdr->ike_flags & IKEV2_FLAG_RESPONSE) {
> 299                     TAILQ_INSERT_TAIL(&sa->sa_responses, m, msg_entry);
> 300                     timer_initialize(env, &m->msg_timer,
> (gdb) bt
> #0  0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at 
> /usr/src/sbin/iked/ikev2_msg.c:296
> #1  0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed0000, 
> ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at 
> /usr/src/sbin/iked/ikev2_msg.c:625
> #2  0x1c0106c2 in ikev2_resp_ike_auth (env=0x86e6b000, sa=0x89ed0000) at 
> /usr/src/sbin/iked/ikev2.c:1993
> #3  0x1c00bdef in ikev2_ike_auth (env=0x86e6b000, sa=0x89ed0000, msg=0x0) at 
> /usr/src/sbin/iked/ikev2.c:566
> #4  0x1c00ab98 in ikev2_dispatch_cert (fd=32, p=0x3c03e558, imsg=0xcfbef644) 
> at /usr/src/sbin/iked/ikev2.c:234
> #5  0x1c0282b9 in proc_dispatch (fd=32, event=2, arg=0x3c03e558) at 
> /usr/src/sbin/iked/proc.c:324
> #6  0x1c032885 in event_base_loop (base=0x7cfd0c00, flags=0) at 
> /usr/src/lib/libevent/event.c:402
> #7  0x1c032b2a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
> #8  0x1c032b42 in event_dispatch () at /usr/src/lib/libevent/event.c:416
> #9  0x1c028180 in proc_run (ps=0x86e6b4e0, p=0x3c03e47c, procs=0x3c03e520, 
> nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
> #10 0x1c00a69c in ikev2 (ps=0x86e6b4e0, p=0x3c03e47c) at 
> /usr/src/sbin/iked/ikev2.c:114
> #11 0x1c027976 in proc_init (ps=0x86e6b4e0, p=0x3c03e47c, nproc=3) at 
> /usr/src/sbin/iked/proc.c:61
> #12 0x1c00955a in main (argc=2, argv=0xcfbefc18) at 
> /usr/src/sbin/iked/iked.c:157
> (gdb) bt full
> #0  0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at 
> /usr/src/sbin/iked/ikev2_msg.c:296
>       sa = (struct iked_sa *) 0x89ed0000
>       buf = (struct ibuf *) 0x7eda8500
>       natt = 0
>       isnatt = 1
>       hdr = (struct ike_header *) 0x818dc000
>       m = (struct iked_message *) 0x87268c00
>       __func__ = "ikev2_msg_send"
> #1  0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed0000, 
> ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at 
> /usr/src/sbin/iked/ikev2_msg.c:625
>       resp = {msg_data = 0x7eda8500, msg_offset = 4, msg_local = {ss_len = 16 
> '\020', ss_family = 2 '\002', __ss_pad1 = "\021\224N\203WÃ", __ss_pad2 = 0, 
>    __ss_pad3 = '\0' <repeats 239 times>}, msg_locallen = 16, msg_peer = 
> {ss_len = 16 '\020', ss_family = 2 '\002', __ss_pad1 = "\022\231[Rj\202", 
> __ss_pad2 = 0, 
>    __ss_pad3 = '\0' <repeats 239 times>}, msg_peerlen = 16, msg_sock = 0x0, 
> msg_fd = 12, msg_response = 1, msg_natt = 0, msg_error = 0, msg_e = 0, 
> msg_parent = 0xcfbeee10, 
>  msg_policy = 0x0, msg_sa = 0x89ed0000, msg_msgid = 1, msg_exchange = 0 '\0', 
> msg_proposals = {tqh_first = 0x0, tqh_last = 0xcfbef050}, msg_rekey = {spi = 
> 0, spi_size = 0 '\0', 
>    spi_protoid = 0 '\0'}, msg_nonce = 0x0, msg_ke = 0x0, msg_auth = {id_type 
> = 0 '\0', id_offset = 0 '\0', id_buf = 0x0}, msg_id = {id_type = 0 '\0', 
> id_offset = 0 '\0', 
>    id_buf = 0x0}, msg_cert = {id_type = 0 '\0', id_offset = 0 '\0', id_buf = 
> 0x0}, msg_prop = 0x0, msg_attrlength = 0, msg_timer = {tmr_ev = {ev_next = 
> {tqe_next = 0x0, 
>        tqe_prev = 0x0}, ev_active_next = {tqe_next = 0x0, tqe_prev = 0x0}, 
> ev_signal_next = {tqe_next = 0x0, tqe_prev = 0x0}, min_heap_idx = 0, ev_base 
> = 0x0, ev_fd = 0, 
>      ev_events = 0, ev_ncalls = 0, ev_pncalls = 0x0, ev_timeout = {tv_sec = 
> 0, tv_usec = 0}, ev_pri = 0, ev_callback = 0, ev_arg = 0x0, ev_res = 0, 
> ev_flags = 0}, 
>    tmr_env = 0x0, tmr_cb = 0, tmr_cbarg = 0x0}, msg_entry = {tqe_next = 0x0, 
> tqe_prev = 0x0}, msg_tries = 0}
>       hdr = (struct ike_header *) 0x818dc000
>       pld = (struct ikev2_payload *) 0x818dc01c
>       buf = (struct ibuf *) 0x7eda8500
>       e = (struct ibuf *) 0x7eda8860
>       ret = -1
>       __func__ = "ikev2_msg_send_encrypt"
> #2  0x1c0106c2 in ikev2_resp_ike_auth (env=0x86e6b000, sa=0x89ed0000) at 
> /usr/src/sbin/iked/ikev2.c:1993
>       pld = (struct ikev2_payload *) 0x82c784c7
>       n = (struct ikev2_notify *) 0x0
>       cert = (struct ikev2_cert *) 0x82c7801f
>       auth = (struct ikev2_auth *) 0x82c7837f
>       id = (struct iked_id *) 0x89ed03e0
>       certid = (struct iked_id *) 0x89ed03f0
>       e = (struct ibuf *) 0x7eda82e0
>       firstpayload = 36 '$'
>       ret = -1
>       len = 20
> #3  0x1c00bdef in ikev2_ike_auth (env=0x86e6b000, sa=0x89ed0000, msg=0x0) at 
> /usr/src/sbin/iked/ikev2.c:566
>       id = (struct iked_id *) 0x0
>       certid = (struct iked_id *) 0x0
>       authmsg = (struct ibuf *) 0x0
>       ikeauth = {auth_method = 0 '\0', auth_eap = 0 '\0', auth_length = 0 
> '\0', 
>  auth_data = '\0' <repeats 452 times>, 
> "ÿÿÿÿ\030õ¾ÏÏG\016\034\000Uî|\016\000\000\000(õ¾Ï", '\0' <repeats 16 times>, 
> "\rUî|\000\000\000\000r\000\000\000\bBÿÿ\000Uî|\177\000\000\000ÿÿÿÿXõ¾ÏÏG\016\034\000_î|\037\000\000\000hõ¾Ïøó¾Ï\000\000\000\000\004ô¾Ï\000\000\000\000\036_î|\000\000\000\000a\000\000\000\bBÿÿ\000_î|\177\000\000\000(õ¾Ï",
>  '\0' <repeats 212 times>, 
> "\020\000\000\000\200ëo|x\003\016\201\bõ¾Ï«ö\020\034À\216y|ß\000\000\000\020\000\000\000\020S\004<\000\000\000\000ð\215y|\030õ¾ÏÍ¿\020\034\020S"...}
>       policy = (struct iked_policy *) 0x881f9000
>       ret = -1
>       __func__ = "ikev2_ike_auth"
> #4  0x1c00ab98 in ikev2_dispatch_cert (fd=32, p=0x3c03e558, imsg=0xcfbef644) 
> at /usr/src/sbin/iked/ikev2.c:234
>       env = (struct iked *) 0x86e6b000
>       sh = {sh_ispi = 9593918580251004300, sh_rspi = 10259927512637042501, 
> sh_initiator = 0}
>       sa = (struct iked_sa *) 0x89ed0000
>       type = 4 '\004'
> ---Type <return> to continue, or q <return> to quit---
>       ptr = (u_int8_t *) 0x0
>       len = 2116784128
>       id = (struct iked_id *) 0x0
>       __func__ = "ikev2_dispatch_cert"
> #5  0x1c0282b9 in proc_dispatch (fd=32, event=2, arg=0x3c03e558) at 
> /usr/src/sbin/iked/proc.c:324
>       p = (struct privsep_proc *) 0x3c03e558
>       ps = (struct privsep *) 0x86e6b4e0
>       iev = (struct imsgev *) 0x86e9b6a0
>       ibuf = (struct imsgbuf *) 0x86e9b6a0
>       imsg = {hdr = {type = 19, len = 37, flags = 0, peerid = 4294967295, pid 
> = 24878}, fd = -1, data = 0x7eda8fe0}
>       n = 37
>       verbose = -2056474112
>       title = 0x3c0036c2 "ikev2"
>       __func__ = "proc_dispatch"
> #6  0x1c032885 in event_base_loop (base=0x7cfd0c00, flags=0) at 
> /usr/src/lib/libevent/event.c:402
>       evsel = (const struct eventop *) 0x3c00a8bc
>       evbase = (void *) 0x856cb200
>       tv = {tv_sec = 25, tv_usec = 535181}
>       tv_p = Variable "tv_p" is not available.
> 
>>> The network looks like this:
>>> [ Linux StrongSwan ] <--> [ NAT gw <remote_ip> ]O--Internetz--O[ 
>>> <firefly_ip> ]
>>>        |                                                             |
>>>        `========================== IPsec IKEv2 ======================'
>>> 
>>> Here is the output of iked -dvv from the start until the sig11.
>>> I'm sorry about the "anonimization", if it confuses the reader I'll
>>> gladly elaborate.
>>> 
>> 
>> you can also try "iked -dvvT" and see if that works.
> 
> Yes, it doesn't crash if I disable NAT-Traversal.
> 
> 
> Daniel
> 
> -- 
> LÉVAI Dániel
> PGP key ID = 0x83B63A8F
> Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Re: iked's ikev2 segfaults during connection initiation from strongswan

Reply via email to