Netopeer2 segfaults when no certificates exist in keystore #568
Description
In our system we got a crash using latest netopeer2 server (v2.7.0), libnetconf2 (v4.1.2) and the rest of the companion libs). I localized the crash to src/server_config.c in libnetconf2.
Dec 15 21:08:52 infix-00-00-00 confd[3422]: The new configuration has been applied. Dec 15 21:08:53 infix-00-00-00 kernel: netopeer2-serve[3909]: segfault at 28 ip 00007fcfe879eb22 sp 00007fcfe7899890 error 4 in libnetconf2.so.5.1.2[34b22,7fcfe8779000+4a000] likely on CPU 0 (core 0, socket 0) Dec 15 21:08:53 infix-00-00-00 kernel: Code: d2 48 89 ef 4c 89 f1 48 c7 44 24 70 00 00 00 00 48 8d 35 a0 24 03 00 e8 6c bf fd ff 4c 8b 7c 24 70 31 f6 48 8d 15 c4 21 03 00 <49> 8b 7f 28 e8 85 a8 fd ff 48 85 c0 0f 84 ec f8 ff ff 4c 8b 68 20 Dec 15 21:08:53 infix-00-00-00 finit[1]: Service netopeer[3853] died (by signal: 11), restarting (retry in 2000 msec) (attempt: 1/10)
#0 0x00007fcfe879eb22 in config_asymmetric_key_certs (node=0x0, parent_op=NC_OP_NONE, entry=0x7fcfdc001528) at src/server_config.c:4154 #1 config_asymmetric_key (node=, parent_op=, keystore=0x7fcfe7899a10) at src/server_config.c:4229 #2 config_asymmetric_keys (node=, parent_op=, keystore=0x7fcfe7899a10) at src/server_config.c:4258 #3 config_keystore (node=0x7fcfdc0025f0, parent_op=NC_OP_UNKNOWN, config=0x7fcfe78999f0) at src/server_config.c:4282 #4 nc_server_config_keystore (tree=tree@entry=0x7fcfdc0025f0, is_diff=is_diff@entry=1, config=config@entry=0x7fcfe78999f0) at src/server_config.c:4328 #5 0x00007fcfe87ab71a in nc_server_config_setup_diff (data=0x7fcfdc0025f0) at src/server_config.c:6120 #6 0x00007fcfe855ecb4 in ?? () from /lib64/libsysrepo.so.8 #7 0x00007fcfe851e68c in sr_subscription_process_events () from /lib64/libsysrepo.so.8 #8 0x00007fcfe856177b in ?? () from /lib64/libsysrepo.so.8 #9 0x00007fcfe83aa142 in ?? () from /lib64/libc.so.6 #10 0x00007fcfe8425a68 in ?? () from /lib64/libc.so.6 (gdb) QEMU: Terminated
i fixed this by just adding a check if the node is not null before accessing it, the local-user is disabled for us by design.
diff --git a/src/server_config.c b/src/server_config.c
index 9f85655..dc9f59d 100644
--- a/src/server_config.c
+++ b/src/server_config.c
@@ -499,7 +499,8 @@ nc_server_config_load_modules(struct ly_ctx **ctx)
/* no ssh-x509-certs, asymmetric-key-pair-generation */
const char *ietf_ssh_common[] = {"algorithm-discovery", "transport-params", NULL};
/* no ssh-server-keepalives and local-user-auth-hostbased */
- const char *ietf_ssh_server[] = {"local-users-supported", "local-user-auth-publickey", "local-user-auth-password", "local-user-auth-none", NULL};
+ /* no local-users-supported - use system users (PAM/shadow) instead */
+ const char *ietf_ssh_server[] = {NULL};
/* all features */
const char *iana_ssh_encryption_algs[] = {NULL};
/* all features */
@@ -4150,6 +4151,8 @@ config_asymmetric_key_certs(const struct lyd_node *node, enum nc_operation paren
struct lyd_node *n;
enum nc_operation op;
+ if (!node)
+ return 0;
NC_NODE_GET_OP(node, parent_op, &op);
/* configure all certificates */
config:
"ietf-keystore:keystore": {
"asymmetric-keys": {
"asymmetric-key": [
{
"name": "genkey",
"public-key-format": "infix-crypto-types:ssh-public-key-format",
"public-key": "MIIBCgKCAQEAlfddyCYCRuueuo52ykon+rxvPBChHF8HgBE4Tc76SG7xCbkkED9dzXs5RaiVBsytwZ5e4EdO1fwse2UuldbQf8q5JwMaOxG0IpxvCK9/0oTWEy8BLrEWS1ZTwMjgehH1NL5ew0CSlALgq8pLFe97aKWlArYfdSHn1zaAnrNiKx9YjC9RsFYIygDY5YDaSmCdg/9b3EZp/CQ5LbGgPZsQnJUpRuGfd30WRBguSLG3mQFyAjxN3+8Q7kzot12oCyQMVT124CD76e1yUrjfkUPzVxlDGla4jAMQscC+jPq9kmuAY43QdrtPcX1kWXiXedBCWK+N5jNez2XZ3+1yfIGy6QIDAQAB",
"private-key-format": "infix-crypto-types:rsa-private-key-format",
"cleartext-private-key": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCV913IJgJG6566jnbKSif6vG88EKEcXweAEThNzvpIbvEJuSQQP13NezlFqJUGzK3Bnl7gR07V/Cx7ZS6V1tB/yrknAxo7EbQinG8Ir3/ShNYTLwEusRZLVlPAyOB6EfU0vl7DQJKUAuCryksV73topaUCth91IefXNoCes2IrH1iML1GwVgjKANjlgNpKYJ2D/1vcRmn8JDktsaA9mxCclSlG4Z93fRZEGC5IsbeZAXICPE3f7xDuTOi3XagLJAxVPXbgIPvp7XJSuN+RQ/NXGUMaVriMAxCxwL6M+r2Sa4BjjdB2u09xfWRZeJd50EJYr43mM17PZdnf7XJ8gbLpAgMBAAECggEABUHeQkl+0/CnqF+dL3tJCoO3nJHyq/Vy5Fz2LdgfMxHcllwstPsbtTvoJpaB3vKm9r4wEkm9rEfCYXMLHoqg1ZIMSp9TuJVmzL3SMKpCX2Vzwcloj7P6lZqJph0ErZLal0ZDOTIW0WSGbs9RMYwrNeB0t/MdiDQvlf5dpPKh8uQBLWycToAcycTid5wwvA3jrQZXrdfjgPgWrROydRtI/6H8PekkQYixWiuvgwDzf36kEcFy6z6KaJc1csKwNNxp8N1T1GjKvrVy248/IMn+ksbRWckOUjNUMpgjJv5AahsY0NohzHEGDTUI0q/UWw8jb59C5g8joJm0p7s8jq1kgQKBgQDL9ds/k1ds4Uh2yIdrkdfiFQkqj7qyORGE7usgSb5HLnF0OSgLB1WIwcX/loAYZkbTKEcpy0Lyg2J8H5OBeH4rAkCefiv3tAyTUv/OXl3OCw9gmEdl5o4PfC3A8nqjI3gcnfOcVWKnNm7bSovEpqjgKgAg4wUEF+bJkfpEurlviQKBgQC8OsKigh9HvYYMXzMARVyxhrF53zrXCF6Rks3n4PLkoI+xRtfsuSTV5Sa0xoh6UoaFoAOpmkamHoU+2y/UgKOsejw5hO5ek5DN8y0KSVZsE+RugK1sd+xMCj+BZ8G+PqWDFo8LVyEAOyibB2MKjMoQs4nC/0bnJFJoyIetPL7wYQKBgQCne6QmeJ950SToJZLOSly0UgHM6WmtoB86wdZiFSwi14hin+y54bPjMPud/cACSTovewu0ziyTaEAfHO7Lil5QgvD9NS51oWwSLj3RALyWzY47C9DVZJWTMa2Am50JCb9AAJRi89qm5JPzjytmuFREfzjLyJ/91IK3Ux/oAEz1wQKBgGCKTrtku8BizzbXOORBrwoKSEp2mMojK8XEIsF0GX/zbd+Bs0thpificNi1HtiGLSKp8Fbznpqi+rpDVyPJmqjixLLHoC53xwQqXgZxmNaz2Sxn6QrB8zsI4otveOonXWJ/lnw9gtqIfQoOXtjRXu3z94tAvM/eTDob56KNjmzhAoGBALc9e0Glexf80QeTd9/J/aNp+Cjojnv8v7fu0z5N+SntB8uimsxXBB7yFdKiOESJMBxERDL1TOzJRZgTFfP9nwLRHWRvV6ajgRZQcl9Ut1eBB363imYggWOfTs3tCgzNwpk9zdv5LbknnFKsXiU3L6izMM+0KhbxLwzmX3NRZBXW"
}
]
}
},
"ietf-netconf-server:netconf-server": {
"listen": {
"endpoints": {
"endpoint": [
{
"name": "default-ssh",
"ssh": {
"tcp-server-parameters": {
"local-bind": [
{
"local-address": "::"
}
]
},
"ssh-server-parameters": {
"server-identity": {
"host-key": [
{
"name": "default-key",
"public-key": {
"central-keystore-reference": "genkey"
}
}
]
}
}
}
}
]
}
}
Metadata
Metadata
Assignees
Labels
No labels