Package: xl2tpd
Version: 1.3.6+dfsg-4
Severity: important
Dear Maintainer,
I set up a connection to a l2tp server using xl2tpd (echo 'c connection_name' >
/var/run/xl2tpd/l2tp-control).
If I use 'ps aux|grep xl2tpd', I can see the daemon is running. The daemon
seems OK.
However, when the disconnection is carried out
(echo 'd connections_name' >/var/run/xl2tpd/l2tp-control),
suddenly the xl2tpd daemon crashes.
Then "ps aux|grep xl2tpd" shows the daemon vanishes. And if I use "echo 'c
connection_name' > /var/run/xl2tpd/l2tp-control", the command is
suspended. I have to restart the daemon.
I try to debug the code. And I find the problem may from the patch
0003-Add-local-ip-range-option.patch for "call.c". After patching, the
code between line 416-422 in "call.c" is
#ifdef IP_ALLOCATION
if (c->addr)
unreserve_addr (c->addr);
if (c->lns->localrange)
unreserve_addr (c->lns->localaddr);
#endif
At line 420, if c->lns is NULL, the program will crash. In my opinion, line
420 rewriting to "if(c->lns && c->lns->localrange)" will fix the bug. #760602
also may partially caused by this bug because Jon Westgate <[email protected]>
pointed out the same bug in #760602.
I think the xl2tpd may have other similar bugs. Maybe a thorough check
is needed. But the check is out of my ability.
Thank you
Lu Wang
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages xl2tpd depends on:
ii libc6 2.23-5
ii libpcap0.8 1.7.4-2
ii ppp 2.4.7-1+3
xl2tpd recommends no packages.
xl2tpd suggests no packages.
-- Configuration Files:
/etc/xl2tpd/l2tp-secrets [Errno 13] Permission denied:
u'/etc/xl2tpd/l2tp-secrets'
/etc/xl2tpd/xl2tpd.conf changed:
;
; Sample l2tpd configuration file
;
; This example file should give you some idea of how the options for l2tpd
; should work. The best place to look for a list of all options is in
; the source code itself, until I have the time to write better documetation :)
; Specifically, the file "file.c" contains a list of commands at the end.
;
; You most definitely don't have to spell out everything as it is done here
;
[global] ; Global parameters:
listen-addr=10.14.129.9
port = 1701 ; * Bind to port 1701
auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
access control = yes ; * Refuse connections without IP match
rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
;
; [lns default] ; Our fallthrough LNS definition
; exclusive = no ; * Only permit one tunnel per host
; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range = 192.168.0.5 ; * But this one is okay
; ip range = lac1-lac2 ; * And anything from lac1 to lac2's
IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden bit = no ; * Use hidden AVP's?
; local ip = 192.168.1.2 ; * Our local IP to use
; local ip range = 192.168.200.0-192.168.200.20 ; Alternatively, use a range
for local addressing
; length bit = yes ; * Use length bit in payload?
; require chap = yes ; * Require CHAP auth. by peer
; refuse pap = yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to authenticate
; unix authentication = no ; * Use /etc/passwd for auth.
; name = myhostname ; * Report this as our hostname
; ppp debug = no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file
; call rws = 10 ; * RWS for call (-1 is valid)
; tunnel rws = 4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; * Include sequence numbers
; challenge = yes ; * Challenge authenticate peer ;
; rx bps = 10000000 ; Receive tunnel speed
; tx bps = 10000000 ; Transmit tunnel speed
; bps = 100000 ; Define both receive and transmit speed in
one option
; [lac marko] ; Example VPN LAC definition
; lns = lns.marko.net ; * Who is our LNS?
; lns = lns2.marko.net ; * A backup LNS (not yet used)
; redial = yes ; * Redial if disconnected?
; redial timeout = 15 ; * Wait n seconds between redials
; max redials = 5 ; * Give up after n consecutive
failures
; hidden bit = yes ; * User hidden AVP's?
; local ip = 192.168.1.1 ; * Force peer to use this IP for us
; remote ip = 192.168.1.2 ; * Force peer to use this as their IP
; length bit = no ; * Use length bit in payload?
; require pap = no ; * Require PAP auth. by peer
; require chap = yes ; * Require CHAP auth. by peer
; refuse pap = yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to authenticate
; name = marko ; * Report this as our hostname
; ppp debug = no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this lac
; call rws = 10 ; * RWS for call (-1 is valid)
; tunnel rws = 4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; * Include sequence numbers
; challenge = yes ; * Challenge authenticate peer
;
;add by Tony
[lac ZJU_VPN]
lns=10.5.1.9
;lns=lns.zju.edu.cn
redial=yes
redial timeout=15
max redials=5
require pap=no
require chap=yes
require authentication=yes
name=11006142@a
;name=cpsp@d
ppp debug=no
pppoptfile = /etc/ppp/options.xl2tpd.zju
; [lac cisco] ; Another quick LAC
; lns = cisco.marko.net ; * Required, but can take from
default
; require authentication = yes
; [lac cisco] ; Another quick LAC
; lns = cisco.marko.net ; * Required, but can take from
default
; require authentication = yes
-- no debconf information
