Bug#887401: tinc: SEGFAULT when trying to connect to IPv6 peer in non-IPv6 environment

Maximilian Stein Mon, 15 Jan 2018 15:49:12 -0800

Package: tinc
Version: 1.0.33-1
Severity: important
Tags: ipv6 patch

Dear Maintainer,


Using my tinc setup I observe spurious SEGFAULTs in the daemon process.

My configuration comprises a proxy (type exec) and the peer's address is
given by its domain name. The domain resolves to both IPv4 and IPv6.
As IPv6 is not working in my environment, all connection attempts to the
resolved IPv6 addresses fail. Somtimes, after such a failure, the
segfault occurs.

I used valgrind to track down the problem (attached file).

Apparently, the issue is caused by a use after free due to failing to
reset a pointer. The patch is attached, too.

Best,
Maximilian


-- System Information:
Debian Release: 9.3
  APT prefers stable
  APT policy: (900, 'stable'), (800, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tinc depends on:
ii  init-system-helpers  1.48
ii  libc6                2.24-11+deb9u1
ii  liblzo2-2            2.08-1.2+b2
ii  libssl1.1            1.1.0f-3+deb9u1
ii  lsb-base             9.20161125
ii  zlib1g               1:1.2.8.dfsg-5

tinc recommends no packages.

tinc suggests no packages.

-- Configuration Files:
/etc/default/tinc changed:
EXTRA="-d 2 --user nobody"


-- no debconf information

Trying to connect to login2 (xxxx:xxxx:xxxx:xxxx::1 port 655)
Using proxy /etc/tinc/tinc-proxy.py
Connected to login2 (xxxx:xxxx:xxxx:xxxx::1 port 655)
 2018-01-16 00:12:40 [simple-obfs] INFO: obfuscating enabled
 2018-01-16 00:12:40 [simple-obfs] INFO: tcp port reuse enabled
 2018-01-16 00:12:40 [simple-obfs] INFO: listening at 127.0.0.1:43045
Timeout from login2 (xxxx:xxxx:xxxx:xxxx::1 port 655) during authentication
Closing connection with login2 (xxxx:xxxx:xxxx:xxxx::1 port 655)
==28931== Invalid read of size 8
==28931==    at 0x10F7D1: edge_del (edge.c:95)
==28931==    by 0x111C2C: terminate_connection.part.0 (net.c:220)
==28931==    by 0x11298C: terminate_connection (net.c:191)
==28931==    by 0x11298C: check_dead_connections (net.c:301)
==28931==    by 0x11298C: main_loop (net.c:495)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==  Address 0x5f54340 is 64 bytes inside a block of size 72 free'd
==28931==    at 0x4C2CDDB: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28931==    by 0x10D93A: avl_free_node (avl_tree.c:298)
==28931==    by 0x10E148: avl_delete_node (avl_tree.c:661)
==28931==    by 0x10E148: avl_delete (avl_tree.c:670)
==28931==    by 0x111BCF: terminate_connection.part.0 (net.c:220)
==28931==    by 0x11225A: terminate_connection (net.c:382)
==28931==    by 0x11225A: check_network_activity (net.c:382)
==28931==    by 0x11225A: main_loop (net.c:484)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==  Block was alloc'd at
==28931==    at 0x4C2DBC5: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28931==    by 0x10F732: xmalloc_and_zero (xalloc.h:37)
==28931==    by 0x10F732: new_edge (edge.c:74)
==28931==    by 0x11BD61: ack_h (protocol_auth.c:643)
==28931==    by 0x11A5DD: receive_request (protocol.c:159)
==28931==    by 0x1110CD: receive_meta (meta.c:233)
==28931==    by 0x112239: check_network_activity (net.c:381)
==28931==    by 0x112239: main_loop (net.c:484)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==
==28931== Invalid write of size 8
==28931==    at 0x10F7DD: edge_del (edge.c:96)
==28931==    by 0x111C2C: terminate_connection.part.0 (net.c:220)
==28931==    by 0x11298C: terminate_connection (net.c:191)
==28931==    by 0x11298C: check_dead_connections (net.c:301)
==28931==    by 0x11298C: main_loop (net.c:495)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==  Address 0x5f54d70 is 64 bytes inside a block of size 72 free'd
==28931==    at 0x4C2CDDB: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28931==    by 0x10D93A: avl_free_node (avl_tree.c:298)
==28931==    by 0x10E148: avl_delete_node (avl_tree.c:661)
==28931==    by 0x10E148: avl_delete (avl_tree.c:670)
==28931==    by 0x111C98: terminate_connection.part.0 (net.c:237)
==28931==    by 0x11225A: terminate_connection (net.c:382)
==28931==    by 0x11225A: check_network_activity (net.c:382)
==28931==    by 0x11225A: main_loop (net.c:484)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==  Block was alloc'd at
==28931==    at 0x4C2DBC5: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28931==    by 0x10F732: xmalloc_and_zero (xalloc.h:37)
==28931==    by 0x10F732: new_edge (edge.c:74)
==28931==    by 0x11C314: add_edge_h (protocol_edge.c:159)
==28931==    by 0x11A5DD: receive_request (protocol.c:159)
==28931==    by 0x1110CD: receive_meta (meta.c:233)
==28931==    by 0x112239: check_network_activity (net.c:381)
==28931==    by 0x112239: main_loop (net.c:484)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==
==28931== Invalid read of size 8
==28931==    at 0x10F7F4: edge_del (edge.c:100)
==28931==    by 0x111C2C: terminate_connection.part.0 (net.c:220)
==28931==    by 0x11298C: terminate_connection (net.c:191)
==28931==    by 0x11298C: check_dead_connections (net.c:301)
==28931==    by 0x11298C: main_loop (net.c:495)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==  Address 0x5f54300 is 0 bytes inside a block of size 72 free'd
==28931==    at 0x4C2CDDB: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28931==    by 0x10D93A: avl_free_node (avl_tree.c:298)
==28931==    by 0x10E148: avl_delete_node (avl_tree.c:661)
==28931==    by 0x10E148: avl_delete (avl_tree.c:670)
==28931==    by 0x111BCF: terminate_connection.part.0 (net.c:220)
==28931==    by 0x11225A: terminate_connection (net.c:382)
==28931==    by 0x11225A: check_network_activity (net.c:382)
==28931==    by 0x11225A: main_loop (net.c:484)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==  Block was alloc'd at
==28931==    at 0x4C2DBC5: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28931==    by 0x10F732: xmalloc_and_zero (xalloc.h:37)
==28931==    by 0x10F732: new_edge (edge.c:74)
==28931==    by 0x11BD61: ack_h (protocol_auth.c:643)
==28931==    by 0x11A5DD: receive_request (protocol.c:159)
==28931==    by 0x1110CD: receive_meta (meta.c:233)
==28931==    by 0x112239: check_network_activity (net.c:381)
==28931==    by 0x112239: main_loop (net.c:484)
==28931==    by 0x10D108: main (tincd.c:807)
==28931==

diff --git a/src/net.c b/src/net.c
index 4b64492d..1fecd88f 100644
--- a/src/net.c
+++ b/src/net.c
@@ -218,6 +218,7 @@ void terminate_connection(connection_t *c, bool report) {
                }
 
                edge_del(c->edge);
+               c->edge = NULL;
 
                /* Run MST and SSSP algorithms */

Bug#887401: tinc: SEGFAULT when trying to connect to IPv6 peer in non-IPv6 environment

Reply via email to