[Bug 1677990] Re: xl2tpd crash when tearing down L2TP/IPSec VPN connection

Mathew Hodson mathew.hodson at gmail.com
Sun Apr 2 06:55:35 UTC 2017 

** Changed in: xl2tpd (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1677990

Title:
  xl2tpd crash when tearing down L2TP/IPSec VPN connection

Status in xl2tpd package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu Xenial

  xl2tpd[20221]: segfault at 188 ip 000000000040bd08 sp 00007ffd8b6546b0
  error 4 in xl2tpd[400000+1b000]

  Core was generated by `/usr/sbin/xl2tpd -D -c /var/run/nm-xl2tpd.conf.20135 -C /var/run/nm-xl2tpd_l2tp'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420
  420	call.c: No such file or directory.
  (gdb) bt
  #0  0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420
  #1  0x000000000040bf90 in call_close (c=<optimized out>) at call.c:358
  #2  0x000000000040c155 in call_close (c=0x171cb40) at call.c:335
  #3  0x00000000004023d6 in death_handler (signal=signal at entry=15)
      at xl2tpd.c:294
  #4  0x00000000004024bf in process_signal () at xl2tpd.c:338
  #5  0x000000000040d016 in network_thread () at network.c:455
  #6  0x0000000000401b96 in main (argc=<optimized out>, argv=<optimized out>)
      at xl2tpd.c:1557
  (gdb) print *c
  $1 = {lbit = 0, seq_reqd = 0, tx_pkts = 0, rx_pkts = 0, tx_bytes = 0, 
    rx_bytes = 0, zlb_xmit = 0x0, prx = 0, state = 12, frame = 1, next = 0x0, 
    debug = 0, msgtype = -1, ourcid = 106, cid = 10304, qcid = -1, bearer = -1, 
    serno = 1, addr = 0, txspeed = 0, rxspeed = 0, ppd = 0, physchan = -1, 
    dialed = '\000' <repeats 119 times>, dialing = '\000' <repeats 119 times>, 
    subaddy = '\000' <repeats 119 times>, needclose = 0, closing = -1, 
    container = 0x171c6a0, fd = -1, oldptyconf = 0x171d460, die = 0, nego = 0, 
    pppd = 20222, result = -1, error = -1, fbit = 0, ourfbit = 0, cnu = 0, 
    pnu = 0, errormsg = '\000' <repeats 119 times>, lastsent = {tv_sec = 0, 
      tv_usec = 0}, data_seq_num = 0, data_rec_seq_num = 0, closeSs = 0, 
    pLr = -1, lns = 0x0, lac = 0x171d4d0, dial_no = '\000' <repeats 127 times>}
  (gdb) print c->lns
  $2 = (struct lns *) 0x0
  (gdb) 

  This is a NULL pointer de-reference and is fixed in this commit:
  https://github.com/xelerance/xl2tpd/commit/a193e02c741168a9b9072b523f2d6faf14a049da

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1677990/+subscriptions

More information about the Ubuntu-sponsors mailing list