** Description changed: + [Impact] + + * xl2tpd crash with segmentation fault when disconnecting from + L2TP/IPSec VPN + + * pppd processes never reaped, user will have to manually intervene to + clean up + + * this will be a major annoyance for our users and I suggest we add + this update to the stable release. + + * the proposed debdiff fixes this problem by patching a NULL-pointer + de-reference in the upstream code. + + [Test Case] + + * Set up L2TP/IPSec VPN server + 1. create a VM on your computer and install Ubuntu Xenial on it (must be VM, IPSec won't work in LXC) + 2. sudo apt install xl2tpd libssl-dev + 3. get and run this script: https://github.com/philpl/setup-strong-strongswan + + * Set up L2TP/IPSec VPN client + 1. sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp + sudo apt update + sudo apt install network-manager-l2tp + 2. sudo service xl2tpd stop (https://github.com/nm-l2tp/network-manager-l2tp/issues/38) + 3. Configure L2TP/IPSec VPN using Network Manager GUI and point it to the IP of your VM + 4. Connect + 5. Disconnect + 6. Observe that you see xl2tpd SIGSEGV in dmesg and that pppd is still running. + + [Regression Potential] + + * The patch contains no change but a check for NULL before de- + referencing a pointer during cleanup. + + [Original bug description] + Ubuntu Xenial xl2tpd[20221]: segfault at 188 ip 000000000040bd08 sp 00007ffd8b6546b0 error 4 in xl2tpd[400000+1b000] Core was generated by `/usr/sbin/xl2tpd -D -c /var/run/nm-xl2tpd.conf.20135 -C /var/run/nm-xl2tpd_l2tp'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420 420 call.c: No such file or directory. (gdb) bt #0 0x000000000040bd08 in destroy_call (c=0x171d110) at call.c:420 #1 0x000000000040bf90 in call_close (c=<optimized out>) at call.c:358 #2 0x000000000040c155 in call_close (c=0x171cb40) at call.c:335 #3 0x00000000004023d6 in death_handler (signal=signal@entry=15) - at xl2tpd.c:294 + at xl2tpd.c:294 #4 0x00000000004024bf in process_signal () at xl2tpd.c:338 #5 0x000000000040d016 in network_thread () at network.c:455 #6 0x0000000000401b96 in main (argc=<optimized out>, argv=<optimized out>) - at xl2tpd.c:1557 + at xl2tpd.c:1557 (gdb) print *c - $1 = {lbit = 0, seq_reqd = 0, tx_pkts = 0, rx_pkts = 0, tx_bytes = 0, - rx_bytes = 0, zlb_xmit = 0x0, prx = 0, state = 12, frame = 1, next = 0x0, - debug = 0, msgtype = -1, ourcid = 106, cid = 10304, qcid = -1, bearer = -1, - serno = 1, addr = 0, txspeed = 0, rxspeed = 0, ppd = 0, physchan = -1, - dialed = '\000' <repeats 119 times>, dialing = '\000' <repeats 119 times>, - subaddy = '\000' <repeats 119 times>, needclose = 0, closing = -1, - container = 0x171c6a0, fd = -1, oldptyconf = 0x171d460, die = 0, nego = 0, - pppd = 20222, result = -1, error = -1, fbit = 0, ourfbit = 0, cnu = 0, - pnu = 0, errormsg = '\000' <repeats 119 times>, lastsent = {tv_sec = 0, - tv_usec = 0}, data_seq_num = 0, data_rec_seq_num = 0, closeSs = 0, - pLr = -1, lns = 0x0, lac = 0x171d4d0, dial_no = '\000' <repeats 127 times>} + $1 = {lbit = 0, seq_reqd = 0, tx_pkts = 0, rx_pkts = 0, tx_bytes = 0, + rx_bytes = 0, zlb_xmit = 0x0, prx = 0, state = 12, frame = 1, next = 0x0, + debug = 0, msgtype = -1, ourcid = 106, cid = 10304, qcid = -1, bearer = -1, + serno = 1, addr = 0, txspeed = 0, rxspeed = 0, ppd = 0, physchan = -1, + dialed = '\000' <repeats 119 times>, dialing = '\000' <repeats 119 times>, + subaddy = '\000' <repeats 119 times>, needclose = 0, closing = -1, + container = 0x171c6a0, fd = -1, oldptyconf = 0x171d460, die = 0, nego = 0, + pppd = 20222, result = -1, error = -1, fbit = 0, ourfbit = 0, cnu = 0, + pnu = 0, errormsg = '\000' <repeats 119 times>, lastsent = {tv_sec = 0, + tv_usec = 0}, data_seq_num = 0, data_rec_seq_num = 0, closeSs = 0, + pLr = -1, lns = 0x0, lac = 0x171d4d0, dial_no = '\000' <repeats 127 times>} (gdb) print c->lns $2 = (struct lns *) 0x0 - (gdb) + (gdb) This is a NULL pointer de-reference and is fixed in this commit: https://github.com/xelerance/xl2tpd/commit/a193e02c741168a9b9072b523f2d6faf14a049da
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677990 Title: xl2tpd crash when tearing down L2TP/IPSec VPN connection To manage notifications about this bug go to: https://bugs.launchpad.net/linuxmint/+bug/1677990/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
