[Bug 1677990] Re: xl2tpd crash when tearing down L2TP/IPSec VPN connection
Mathew Hodson
mathew.hodson at gmail.com
Sun Apr 2 06:55:35 UTC 2017
** Changed in: xl2tpd (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1677990
Title:
xl2tpd crash when tearing down L2TP/IPSec VPN connection
Status in xl2tpd package in Ubuntu:
Confirmed
Bug description:
Ubuntu Xenial
xl2tpd[20221]: segfault at 188 ip 000000000040bd08 sp 00007ffd8b6546b0
error 4 in xl2tpd[400000+1b000]
Core was generated by `/usr/sbin/xl2tpd -D -c /var/run/nm-xl2tpd.conf.20135 -C /var/run/nm-xl2tpd_l2tp'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420
420 call.c: No such file or directory.
(gdb) bt
#0 0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420
#1 0x000000000040bf90 in call_close (c=<optimized out>) at call.c:358
#2 0x000000000040c155 in call_close (c=0x171cb40) at call.c:335
#3 0x00000000004023d6 in death_handler (signal=signal at entry=15)
at xl2tpd.c:294
#4 0x00000000004024bf in process_signal () at xl2tpd.c:338
#5 0x000000000040d016 in network_thread () at network.c:455
#6 0x0000000000401b96 in main (argc=<optimized out>, argv=<optimized out>)
at xl2tpd.c:1557
(gdb) print *c
$1 = {lbit = 0, seq_reqd = 0, tx_pkts = 0, rx_pkts = 0, tx_bytes = 0,
rx_bytes = 0, zlb_xmit = 0x0, prx = 0, state = 12, frame = 1, next = 0x0,
debug = 0, msgtype = -1, ourcid = 106, cid = 10304, qcid = -1, bearer = -1,
serno = 1, addr = 0, txspeed = 0, rxspeed = 0, ppd = 0, physchan = -1,
dialed = '\000' <repeats 119 times>, dialing = '\000' <repeats 119 times>,
subaddy = '\000' <repeats 119 times>, needclose = 0, closing = -1,
container = 0x171c6a0, fd = -1, oldptyconf = 0x171d460, die = 0, nego = 0,
pppd = 20222, result = -1, error = -1, fbit = 0, ourfbit = 0, cnu = 0,
pnu = 0, errormsg = '\000' <repeats 119 times>, lastsent = {tv_sec = 0,
tv_usec = 0}, data_seq_num = 0, data_rec_seq_num = 0, closeSs = 0,
pLr = -1, lns = 0x0, lac = 0x171d4d0, dial_no = '\000' <repeats 127 times>}
(gdb) print c->lns
$2 = (struct lns *) 0x0
(gdb)
This is a NULL pointer de-reference and is fixed in this commit:
https://github.com/xelerance/xl2tpd/commit/a193e02c741168a9b9072b523f2d6faf14a049da
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1677990/+subscriptions
More information about the Ubuntu-sponsors
mailing list