Opened 9 years ago
Closed 8 years ago
#613 closed Bug / Defect (worksforme)
OpenVPN crashes with SIGSEGV when no certificate available
Reported by: | r.sokoll | Owned by: | Gert Döring |
---|---|---|---|
Priority: | minor | Milestone: | release 2.3.12 |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.5 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | David Sommerseth |
Description
# /usr/local/openvpn/sbin/openvpn --version OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 4 2014 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.06
If I try to start openvpn from the command line, it crashes with SIGSEGV, see the output from strace:
access("/usr/local/openvpn/conf/keys/dh2048.pem", R_OK) = 0 access("/usr/local/openvpn/conf/keys-new/cert.cabundle", R_OK) = 0 access("/usr/local/openvpn/conf/keys-new/wildcard.crt", R_OK) = -1 ENOENT (No such file or directory) fstat(1, {st_mode=S_IFREG|0600, st_size=2169, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5b24d80000 write(1, "Options error: --cert fails with"..., 108) = 108 access("/usr/local/openvpn/conf/keys-new/wildcard.key", R_OK) = -1 ENOENT (No such file or directory) write(1, "Options error: --key fails with "..., 107) = 107 access("/usr/local/openvpn/run", R_OK|W_OK|X_OK) = 0 access("/usr/local/openvpn/run/openvpn-ish.tcp.new.pid", F_OK) = -1 ENOENT (No such file or directory) access("/var/log/openvpn", R_OK|W_OK|X_OK) = 0 access("/var/log/openvpn/status.new.tcp", F_OK) = -1 ENOENT (No such file or directory) access("/tmp", R_OK|W_OK|X_OK) = 0 write(1, "Options error: Please correct th"..., 44) = 44 write(1, "Use --help for more information."..., 33) = 33 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} --- +++ killed by SIGSEGV +++
Obviously, it is my fault since I have wrong file names in the config.
Nevertheless, openvpn should complain and not just crash.
Change History (13)
comment:1 Changed 9 years ago by
Cc: | David Sommerseth added |
---|---|
Milestone: | → release 2.3.9 |
Owner: | set to Gert Döring |
Status: | new → accepted |
comment:2 Changed 9 years ago by
Program invocation:
vpngw-users:~ # /usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/conf/ish.tcp.server.new.conf Segmentation fault vpngw-users:~ #
The log istself is correct:
Options error: --cert fails with '/usr/local/openvpn/conf/keys-new/wildcard.crt': No such file or directory Options error: --key fails with '/usr/local/openvpn/conf/keys-new/wildcard.key': No such file or directory Options error: Please correct these errors. Use --help for more information.
comment:3 Changed 9 years ago by
Program invocation:
vpngw-users:~ # /usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/conf/ish.tcp.server.new.conf Segmentation fault vpngw-users:~ #
The log istself is correct:
Options error: --cert fails with '/usr/local/openvpn/conf/keys-new/wildcard.crt': No such file or directory Options error: --key fails with '/usr/local/openvpn/conf/keys-new/wildcard.key': No such file or directory Options error: Please correct these errors. Use --help for more information.
comment:4 Changed 9 years ago by
this is more tricky than I thought... I tried to build a config that matches your strace output (path names, assuming an issue with name lengths or whatever) - and it behaves extremely well, that is: I get an error message, and no crash. Only 32bit/i686, but since it did not crash for me on 64bit/sparc either, it is not something totally dumb (at least :) ).
Is this a build-it-yourself openvpn, or vendor-built, possibly with "improvements"? Non-typical malloc library?
Anything special in the config file?
comment:6 Changed 9 years ago by
Built from sources.
I'm busy right now, will provide more information on Sunday hopefully.
comment:7 Changed 9 years ago by
As said, built from source. Nothing special:
vpngw-users:~ # head /usr/local/src/openvpn-2.3.6/config.log This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by OpenVPN configure 2.3.6, which was generated by GNU Autoconf 2.69. Invocation command line was $ ./configure --prefix=/usr/local/openvpn-2.3.6/ ## --------- ## ## Platform. ## vpngw-users:~ #
The config
daemon mode server log-append /var/log/openvpn/log.new.tcp status /var/log/openvpn/status.new.tcp 60 port 4443 proto tcp-server dev tun tls-server comp-lzo ca /usr/local/openvpn/conf/keys-new/cert.cabundle cert /usr/local/openvpn/conf/keys-new/wildcard.crt key /usr/local/openvpn/conf/keys-new/wildcard.key dh /usr/local/openvpn/conf/keys/dh2048.pem ifconfig 10.0.1.1 10.0.1.2 ifconfig-pool 10.0.1.4 10.0.1.255 push "route 10.0.1.1 255.255.255.255" push "redirect-gateway" push "dhcp-option DOMAIN <redacted>" push "dhcp-option DNS <redacted>" push "dhcp-option DNS <redacted>" push "dhcp-option WINS <redacted>" push "dhcp-option WINS <redacted>" push "dhcp-option NBT 2" inactive 600 route 10.0.1.0 255.255.255.0 persist-key persist-tun ping-timer-rem ping-restart 60 ping 10 writepid /usr/local/openvpn/run/openvpn-ish.tcp.new.pid verb 3 plugin /lib/security/openvpn-auth-pam.so openvpn client-cert-not-required username-as-common-name duplicate-cn
comment:8 Changed 9 years ago by
Can you please run openvpn via gdb and retrieve the backtrace?
gdb /path/to/openvpn --args /path/to/openvpn --config vpn.conf ... ... gdb> bt ... ...
comment:9 Changed 9 years ago by
Rainer, we need your help here - I did my best to make it crash or misbehave, but it doesn't do so for me. So it's something special to your machine (compiler version, ...) that is triggering it. Any chance to run from gdb and get a backtrace out?
comment:10 Changed 9 years ago by
Milestone: | release 2.3.9 → release 2.3.10 |
---|
comment:11 Changed 9 years ago by
Milestone: | release 2.3.10 → release 2.3.12 |
---|
comment:12 Changed 8 years ago by
ping r.sokoll? We truly need a backtrace as we're not able to reproduce this easily ourselves.
comment:13 Changed 8 years ago by
Resolution: | → worksforme |
---|---|
Status: | accepted → closed |
Closing. We cannot reproduce it, and without your help, there is no way to figure out what is (was) going on. Sorry.
Thanks for the formal bug report.
I don't think it's "no certificate" (because that perfectly fine "worksforme"), my gut feeling is more like our "is this file there? no -> error!" handler isn't cleaning up properly, and two or more error messages lead to "corruption".
Copying in David, because it's his code - but I'll look into it ASAP.
Rainer, could you copy in the "normal" program output (!= strace) as well, so we can see which files exactly were missing (easier to reproduce)?