[Bug 1677990] Re: xl2tpd crash when tearing down L2TP/IPSec VPN connection

Frode Nordahl frode.nordahl at gmail.com
Wed May 10 18:02:33 UTC 2017


** Also affects: xl2tpd (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760602
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1677990

Title:
  xl2tpd crash when tearing down L2TP/IPSec VPN connection

Status in Linux Mint:
  New
Status in xl2tpd package in Ubuntu:
  Fix Released
Status in xl2tpd source package in Xenial:
  In Progress
Status in xl2tpd source package in Yakkety:
  In Progress
Status in xl2tpd package in Debian:
  Unknown

Bug description:
  [Impact]

   * xl2tpd crash with segmentation fault when disconnecting from
  L2TP/IPSec VPN

   * pppd processes never reaped, user will have to manually intervene
  to clean up

   * this will be a major annoyance for our users and I suggest we add
  this update to the stable release.

   * the proposed debdiff fixes this problem by patching a NULL-pointer
  de-reference in the upstream code.

  [Test Case]

   * Set up L2TP/IPSec VPN server
     1. create a VM on your computer and install Ubuntu Xenial on it (must be VM, IPSec won't work in LXC)
     2. sudo apt install xl2tpd libssl-dev
     3. get and run this script: https://github.com/philpl/setup-strong-strongswan

   * Set up L2TP/IPSec VPN client
     1. sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp
         sudo apt update
         sudo apt install network-manager-l2tp
     2. sudo service xl2tpd stop (https://github.com/nm-l2tp/network-manager-l2tp/issues/38)
     3. Configure L2TP/IPSec VPN using Network Manager GUI and point it to the IP of your VM
     4. Connect
     5. Disconnect
     6. Observe that you see xl2tpd SIGSEGV in dmesg and that pppd is still running.

  [Regression Potential]

   * The patch contains a check for NULL before de-referencing a pointer
  during cleanup. The same code has been tested for quite some time in
  the upstream 1.3.8 release that is available in Z and AA.

   * Patch already in Debian upstream for quite some time as well :
     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760602

  [Original bug description]

  Ubuntu Xenial

  xl2tpd[20221]: segfault at 188 ip 000000000040bd08 sp 00007ffd8b6546b0
  error 4 in xl2tpd[400000+1b000]

  Core was generated by `/usr/sbin/xl2tpd -D -c /var/run/nm-xl2tpd.conf.20135 -C /var/run/nm-xl2tpd_l2tp'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420
  420	call.c: No such file or directory.
  (gdb) bt
  #0  0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420
  #1  0x000000000040bf90 in call_close (c=<optimized out>) at call.c:358
  #2  0x000000000040c155 in call_close (c=0x171cb40) at call.c:335
  #3  0x00000000004023d6 in death_handler (signal=signal at entry=15)
      at xl2tpd.c:294
  #4  0x00000000004024bf in process_signal () at xl2tpd.c:338
  #5  0x000000000040d016 in network_thread () at network.c:455
  #6  0x0000000000401b96 in main (argc=<optimized out>, argv=<optimized out>)
      at xl2tpd.c:1557
  (gdb) print *c
  $1 = {lbit = 0, seq_reqd = 0, tx_pkts = 0, rx_pkts = 0, tx_bytes = 0,
    rx_bytes = 0, zlb_xmit = 0x0, prx = 0, state = 12, frame = 1, next = 0x0,
    debug = 0, msgtype = -1, ourcid = 106, cid = 10304, qcid = -1, bearer = -1,
    serno = 1, addr = 0, txspeed = 0, rxspeed = 0, ppd = 0, physchan = -1,
    dialed = '\000' <repeats 119 times>, dialing = '\000' <repeats 119 times>,
    subaddy = '\000' <repeats 119 times>, needclose = 0, closing = -1,
    container = 0x171c6a0, fd = -1, oldptyconf = 0x171d460, die = 0, nego = 0,
    pppd = 20222, result = -1, error = -1, fbit = 0, ourfbit = 0, cnu = 0,
    pnu = 0, errormsg = '\000' <repeats 119 times>, lastsent = {tv_sec = 0,
      tv_usec = 0}, data_seq_num = 0, data_rec_seq_num = 0, closeSs = 0,
    pLr = -1, lns = 0x0, lac = 0x171d4d0, dial_no = '\000' <repeats 127 times>}
  (gdb) print c->lns
  $2 = (struct lns *) 0x0
  (gdb)

  This is a NULL pointer de-reference and is fixed in this commit:
  https://github.com/xelerance/xl2tpd/commit/a193e02c741168a9b9072b523f2d6faf14a049da

To manage notifications about this bug go to:
https://bugs.launchpad.net/linuxmint/+bug/1677990/+subscriptions



More information about the Ubuntu-sponsors mailing list