The latest ocserv cannot work well with IOS Anyconnect using profile.xml

Yick Xie yick.xie at gmail.com
Sun Dec 20 12:02:41 PST 2015


Hi Nikos,

Sorry, I don't know how to use valgrind 3.11.0, which always showed
some errors even as I just ran safe ocserv 0.10.8 .

GCC version is:
gcc (Ubuntu 4.8.4-2ubuntu1~14.04) 4.8.4

valgrind ocserv -c /etc/ocserv/config -f
==5112== Memcheck, a memory error detector
==5112== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==5112== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==5112== Command: ocserv -c /etc/ocserv/config -f
==5112==
Setting 'radius' as primary authentication method
Enabling 'certificate' as authentication method
listening (TCP) on 0.0.0.0:443...
listening (UDP) on 0.0.0.0:443...




valgrind: m_scheduler/sema.c:104 (vgModuleLocal_sema_down): Assertion
'sema->owner_lwpid != lwpid' failed.

host stacktrace:
==0==    at 0x3803D1C8: show_sched_status_wrk (m_libcassert.c:343)

sched status:
  running_tid=0

Thread 1: status = VgTs_WaitSys (lwpid 5115)
==0==    at 0x62F3D8A: prctl (syscall-template.S:81)
==0==    by 0x558EEBC: seccomp_load (in
/usr/lib/x86_64-linux-gnu/libseccomp.so.2.1.0)
==0==    by 0x41F04B: disable_system_calls (worker-privs.c:115)
==0==    by 0x40CD9F: vpn_server (worker-vpn.c:417)
==0==    by 0x407529: main (main.c:1251)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

2015-12-18 18:07 GMT+08:00 Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com>:
> On Wed, Dec 16, 2015 at 11:28 AM, yick xie <yick.xie at gmail.com> wrote:
>> Hello,
>>
>> As the title, running ocserv with the profile.xml config will
>> encounter a server error when an IOS Anyconnect client tries to
>> connect the server. Yet there is no problem when just using Windows 7
>> Anyconnect, or just roughly with profile.xml disabled.
>> The ocserv was complied at commit
>> a52ffc4d06578d0209397753eb6ad3b778ed581e(When max-clients is set
>> adjust the file descriptor limits accordingly). The error shows
>> "segfault at a0 ip 000000000041c95d sp 00007fff95a51c20 error 4 in
>> ocserv[400000+59000]"
>
> Hi Yick,
>  Could you use valgrind to run ocserv and send the output of this
> crash in that case?
>
>> processing: User-Agent: AnyConnect ERROR_NOT_USED 4.0.03016
>
> That's an interesting user-agent string :)
>
>> webvpn=B4HK6PlpHYicYsLXPbLzdnZsGy5X954oDl54R9/mi6R3ZY6jgX9R7OYQUobcS60ToFr6qSU47qF11EZ2kjq3aw6kUfdI9c3Zj1yai2pvGmnGVw==;
>> webvpnc=bu:/&p:t&iu:1/&sh:7E9BB890976A71EB71695B6054CF0ED41FCA4E9D&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2F/etc/ocserv/profile.xml&fh:291FF7BC238526C0C9DA9AE91EB408CB229F07D4;
>
> The cookies are better not sent to a list. They can be used to resume
> your session.
>
> regards,
> Nikos



More information about the openconnect-devel mailing list