Closed vaygr closed 8 years ago
As of testing with default config on Linux (x86_64), Valgrind returns this:
2014-10-21 20:19:02: tcp: 10.0.1.3:34245 -> 10.0.1.6:7000 60 bytes
removing successful knock attempt (10.0.1.3)
==16857== Invalid read of size 8
==16857== at 0x4047A4: sniff (knockd.c:1442)
==16857== by 0x4E322A1: ??? (in /usr/lib/libpcap.so.1.2.1)
==16857== by 0x401D71: main (knockd.c:270)
==16857== Address 0x53deda0 is 16 bytes inside a block of size 24 free'd
==16857== at 0x4C24492: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16857== by 0x4047A3: sniff (knockd.c:1475)
==16857== by 0x4E322A1: ??? (in /usr/lib/libpcap.so.1.2.1)
==16857== by 0x401D71: main (knockd.c:270)
==16857==
which exactly points knockd.c:1442 to:
for(lp = attempts; lp; lp = lp->next) {
and knockd.c:1475 to:
list_free(lp);
in source release 0.7.
I've added some comments in the code and I tried to fix a possible NULL pointer free. Unfortunately I don't have a machine with OpenBSD 5.6 installed (I will fix this soon). Can you please check if my changes had some (hopefully positive) effect?
nope, it stopped working after the first attempt. No crashes, as well no activity.
oh, wait, no. I missed the log entry. It crashes exactly the same way -- on the 2nd attempt.
Ok, it seems that this bug cannot be replicated on Linux so I have to set up a box with OpenBSD 5.6 and start hacking!
2014-12-05 12:34 GMT+01:00 Vlad Glagolev notifications@github.com:
oh, wait, no. I missed the log entry. It crashes exactly the same way -- on the 2nd attempt.
— Reply to this email directly or view it on GitHub.
I still don't have a physical box to try knockd so I've worked with OpenBSD 5.6 RELEASE under VirtualBox. Please tell me if it works now. By the way: I've had to add an ifdef __linux/endif and another include to compile knockd under OpenBSD. So far Debian Stable compiles everything but I'll be glad to ear from users of other OSes and/or other GNU/Linux distros if everything's fine.
Oh, sorry, I've forgotten to mention that. But instead I used this diff:
--- src/knockd.c.orig Tue Jun 10 09:42:04 2014
+++ src/knockd.c Fri Nov 21 14:09:44 2014
@@ -32,12 +32,12 @@
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
-#include <netinet/if_ether.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
+#include <netinet/if_ether.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
and shouldn't we use DLT_PPP instead of ifdef'ing DLT_LINUX_SLL? Or it's absolutely another device on the OpenBSD platform?
p.s. confirming the above patch resolves the issue
Thanks for the diff: I have changed the order of the includes and I've fixed a possible memory leak. Right now I'm unable to compile everything on OpenBSD (my laptop is too old to handle a VM) but tomorrow I'll check again and if everything's ok I'll issue a pull request.
I've bundled the fixes under Issue #16 into my fork.
I've found an issue in knockd after upgrading from OpenBSD 5.5 to 5.6 on i386. It started to crash on every second knock try.
Backtrace is here (running with '-D' flag):
After some digging I've found these lines:
But shouldn't we use 'break' here to prevent further reference to already freed 'lp' (and therefore 'lp->next') in the next iteration of 'for' cycle:
after we totally free 'lp' recursively in list.c:
? Or did I miss/misunderstand something?
knock is compiled by GCC 4.2.1 with these flags: '-g -Wall -pedantic -fno-exceptions -O2 -pipe'.