Test Suite - valgrind
Jump to navigation
Jump to search
a call to delete_state(st) frees st : zero(st) and pfree(st). However the *st could stored in md and accessd later. Between the delete and and next access of of md->st, the freed memory might be re-alloated to something else. When md->st is accessed, it will be junk.
On a responder, receives a v2D to delete #1. Pluto call
delete_my_family
delete(st) : which pfree(st).
However:
success_v2_state_transition ikev2_update_counter may access md->st
Here is a snippet of a trace from valgrind output.
==1868== Invalid read of size 4 ==1868== at 0x15355D: success_v2_state_transition.isra.0 (ikev2.c:1021) ==1868== by 0x171547: comm_handle (demux.c:218) ==1868== by 0x13AABA: call_server (server.c:743) ==1868== by 0x125474: main (plutomain.c:1381) ==1868== Address 0xb51d028 is 1,144 bytes inside a block of size 1,928 free'd ==1868== at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==1868== by 0x134EDC: delete_state (state.c:553) ==1868== by 0x159A7E: process_encrypted_informational_ikev2 (ikev2_parent.c:3390) ==1868== by 0x1541A5: process_v2_packet (ikev2.c:789) ==1868== by 0x171547: comm_handle (demux.c:218) ==1868== by 0x13AABA: call_server (server.c:743) ==1868== by 0x125474: main (plutomain.c:1381)