CONSISTENCY CHECK FAILED src/main/state.c with EAP Channel Bindings

[alejandro-perez]

Issue type

• Questions about the server or its usage should be posted to the users mailing list.
• Remote security exploits MUST be sent to security@freeradius.org.
• Defect - Crash or memory corruption.
• Defect - Non compliance with a standards document, or incorrect API usage.
• Defect - Unexpected behaviour (obvious or verified by project member).
• Feature request.

See here for debugging instructions and how to obtain backtraces.

NOTE: PATCHES GO IN PULL REQUESTS. IF YOU SUBMIT A DIFF HERE, THE DEVELOPMENT TEAM WILL HUNT YOU DOWN AND BEAT YOU OVER THE HEAD WITH YOUR OWN KEYBOARD.

Defect/Feature description

How to reproduce issue

Authenticate using Channel Bindings.

Output of [radiusd|freeradius] -X showing issue occurring

(you may need to run [radiusd|freeradius] -fxx -l stdout if using eg RADIUS with TLS)

) eap: Finished EAP session with state 0x8e3f152688380035
(7) eap: Previous EAP request found for state 0x8e3f152688380035, released from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: Continuing EAP-TLS
(7) eap_ttls: [eaptls verify] = ok
(7) eap_ttls: Done initial handshake
(7) eap_ttls: [eaptls process] = ok
(7) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls:   EAP-Channel-Binding-Message = 0x01001201a40361a50f746573742e6a6973632e6e6574
(7) eap_ttls:   EAP-Message = 0x020100160410cdeb2275204ab1a91440e849a54ca4be
(7) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Sending tunneled request
(7) eap_ttls: received chbind request
(7) Virtual server channel_bindings received request
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "alex@um.es"
(7)   GSS-Acceptor-Service-Name = "a"
(7)   GSS-Acceptor-Host-Name = "test.jisc.net"
(7) server channel_bindings {
(7)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/channel_bindings
(7)     authorize {
(7)       policy abfab_channel_bindings {
(7)         if (GSS-Acceptor-Service-Name && (outer.request:GSS-Acceptor-Service-Name != GSS-Acceptor-Service-Name)) {
(7)         if (GSS-Acceptor-Service-Name && (outer.request:GSS-Acceptor-Service-Name != GSS-Acceptor-Service-Name))  -> FALSE
(7)         if (GSS-Acceptor-Host-Name && outer.request:GSS-Acceptor-Host-Name != GSS-Acceptor-Host-Name ) {
(7)         if (GSS-Acceptor-Host-Name && outer.request:GSS-Acceptor-Host-Name != GSS-Acceptor-Host-Name )  -> FALSE
(7)         if (GSS-Acceptor-Realm-Name && outer.request:GSS-Acceptor-Realm-Name != GSS-Acceptor-Realm-Name ) {
(7)         if (GSS-Acceptor-Realm-Name && outer.request:GSS-Acceptor-Realm-Name != GSS-Acceptor-Realm-Name )  -> FALSE
(7)         if (GSS-Acceptor-Service-Name || GSS-Acceptor-Realm-Name || GSS-Acceptor-Host-Name) {
(7)         if (GSS-Acceptor-Service-Name || GSS-Acceptor-Realm-Name || GSS-Acceptor-Host-Name)  -> TRUE
(7)         if (GSS-Acceptor-Service-Name || GSS-Acceptor-Realm-Name || GSS-Acceptor-Host-Name)  {
(7)           update control {
(7)             Chbind-Response-Code := success
(7)           } # update control = noop
(7)           update reply {
(7)             GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name -> 'a'
(7)             GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name -> 'test.jisc.net'
(7)             No attributes updated
(7)           } # update reply = noop
(7)         } # if (GSS-Acceptor-Service-Name || GSS-Acceptor-Realm-Name || GSS-Acceptor-Host-Name)  = noop
(7)         [handled] = handled
(7)       } # policy abfab_channel_bindings = handled
(7)     } # authorize = handled
(7) } # server channel_bindings
(7) Virtual server sending reply
(7)   GSS-Acceptor-Service-Name = "a"
(7)   GSS-Acceptor-Host-Name = "test.jisc.net"
(7) Sending chbind response: code 2
(7)   GSS-Acceptor-Service-Name = "a"
(7)   GSS-Acceptor-Host-Name = "test.jisc.net"
(7) eap_ttls: sending chbind response
(7) Virtual server inner-tunnel received request
(7)   EAP-Channel-Binding-Message = 0x01001201a40361a50f746573742e6a6973632e6e6574
(7)   EAP-Message = 0x020100160410cdeb2275204ab1a91440e849a54ca4be
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "alex@um.es"
(7)   State = 0x87ad01f587ac05083f7bdc41dc98e95b
(7) server inner-tunnel {
(7)   session-state: No cached attributes
CONSISTENCY CHECK FAILED src/main/state.c[436]: Expected VALUE_PAIR "EAP-Channel-Binding-Message" to be parented by 0x29f9f70 (RADIUS_PACKET), instead parented by 0x29f9ba0 (RADIUS_PACKET)

Talloc chunk lineage:
0x29f9f70 (RADIUS_PACKET) < 0x29f9dd0 (REQUEST) < 0x29d7650 (REQUEST) < 0x29d75f0 (request_receive_pool)
Talloc context level 0:
Talloc chunk lineage:
0x29f9ba0 (RADIUS_PACKET) < 0x29f9dd0 (REQUEST) < 0x29d7650 (REQUEST) < 0x29d75f0 (request_receive_pool)
Talloc context level 0:
SOFT ASSERT FAILED src/lib/pair.c[2437]: 0
CAUGHT SIGNAL: Aborted
Backtrace of last 26 frames:
/usr/local/lib/libfreeradius-radius.so(fr_fault+0x115)[0x7f5c5d684229]
/usr/local/lib/libfreeradius-radius.so(fr_assert_cond+0x4c)[0x7f5c5d684cc0]
/usr/local/lib/libfreeradius-radius.so(fr_pair_list_verify+0x11c)[0x7f5c5d695f32]
/usr/local/lib/libfreeradius-server.so(+0x24b93)[0x7f5c5d8e5b93]
/usr/local/lib/libfreeradius-server.so(verify_request+0x124)[0x7f5c5d8e5cc1]
radiusd(fr_state_get_vps+0x222)[0x4339d6]
radiusd(rad_authenticate+0x237)[0x411626]
radiusd(rad_virtual_server+0x512)[0x41232f]
/usr/local/lib/rlm_eap_ttls.so(eapttls_process+0xa67)[0x7f5c54820c3a]
/usr/local/lib/rlm_eap_ttls.so(+0x248a)[0x7f5c5481e48a]
/usr/local/lib/rlm_eap.so(+0x4448)[0x7f5c5a99a448]
/usr/local/lib/rlm_eap.so(eap_method_select+0x430)[0x7f5c5a99ae30]
/usr/local/lib/rlm_eap.so(+0x3012)[0x7f5c5a999012]
radiusd[0x42a5e3]
radiusd[0x42ac95]
radiusd[0x42a7a4]
radiusd[0x42b6c4]
radiusd(modcall+0xa2)[0x42c434]
radiusd(indexed_modcall+0x363)[0x427bf7]
radiusd(process_authenticate+0x22)[0x429edb]
radiusd[0x410fe2]
radiusd(rad_authenticate+0x520)[0x41190f]
radiusd[0x43f16c]
radiusd[0x43ad61]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x6b50)[0x7f5c5c3bcb50]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f5c5becffbd]
No panic action set
Aborted

Full backtrace from LLDB or GDB

#1  0x00007ffff7962180 in fr_fault (sig=6) at src/lib/debug.c:641
        cmd = '\000' <repeats 16 times>, "(z\377\367\377\177\000\000\030\233\225\367\377\177\000\000\250\227\225\367\377\177\000\000\200\206\225\367\377\177\000\000\000\000\000\000\005\000\000\000@\001\000\000\001\000\000\000\000^b8f5f0\200}\377\367\377\177\000\000\020^n\355\377\177\000\000\000\000\000\000\000\000\000\000\070^n\355\377\177\000\000(z\377\367\377\177\000\000\230\061d\312\000\000\000\000\322k\336\367\377\177", '\000' <repeats 18 times>, "\005\000\000\000\377\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000\377\177\000\000(z\377\367\377\177", '\000' <repeats 42 times>"\200, }\377\367\377\177\000\000\300]n\355\377\177\000\000\330]n\355\377\177\000\000\000\000G5\001", '\000' <repeats 11 times>"\377, \377\377\377\377\377\377\377\030\233\225\367\377\177\000\000p[n\355\377\177", '\000' <repeats 18 times>, "I \032\366\377\177\000\000\377\377\377\377\000\000\000\000\223\034\024\366\377\177", '\000' <repeats 11 times>...
        out = 0x7fffed6e5c50 ""
        left = 532
        ret = 140737351977509
        p = 0x7ffff7b9cec0 ""
        q = 0x2b <Address 0x2b out of bounds>
        code = 32767
#2  0x00007ffff7962cc0 in fr_assert_cond (file=0x7ffff79907ce "src/lib/pair.c", line=2437, expr=0x7ffff7990e5e "0", cond=false) at src/lib/debug.c:1093
No locals.
#3  0x00007ffff7973f32 in fr_pair_list_verify (file=0x467b05 "src/main/state.c", line=436, expected=0xbb1f70, vps=0xbb2ef0) at src/lib/pair.c:2437
        cursor = {first = 0x7fffed6e5f00, found = 0x0, last = 0x0, current = 0xbb2ef0, next = 0x0}
        vp = 0xbb2ef0
        parent = 0xbb1ba0
#4  0x00007ffff7bc3b93 in verify_packet (file=0x467b05 "src/main/state.c", line=436, request=0xbb1dd0, packet=0xbb1f70, type=0x7ffff7bd592f "reply") at src/main/util.c:1097
        parent = 0xbb1dd0
#5  0x00007ffff7bc3cc1 in verify_request (file=0x467b05 "src/main/state.c", line=436, request=0xbb1dd0) at src/main/util.c:1119
No locals.
#6  0x00000000004339d6 in fr_state_get_vps (request=0xbb1dd0, packet=0xbb1ba0) at src/main/state.c:436
        entry = 0x0
        state = 0x681460
        old_ctx = 0x0
#7  0x0000000000411626 in rad_authenticate (request=0xbb1dd0) at src/main/auth.c:484
        check_item = 0x8000b91c30
        module_msg = 0xb9c050
        tmp = 0x0
        result = 0
        autz_retry = 0 '\000'
        autz_type = 0
#8  0x000000000041232f in rad_virtual_server (request=0xbb1dd0) at src/main/auth.c:813
        vp = 0xb9bf00
        result = 32767
#9  0x00007fffeeafec3a in eapttls_process (handler=0xac6720, tls_session=0xb727a0) at src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c:1203
        code = PW_CODE_ACCESS_REJECT
        rcode = 32767
        fake = 0xbb1dd0
        vp = 0x0
        t = 0xb8e9d0
        data = 0xb768f0 ""
        data_len = 68
        request = 0xb8f650
        chbind = 0xbb2440
#10 0x00007fffeeafc48a in mod_process (arg=0x916d50, handler=0xac6720) at src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c:317
        rcode = -141130936
        status = FR_TLS_OK
        inst = 0x916d50
        tls_session = 0xb727a0
        t = 0xb8e9d0
        request = 0xb8f650
#11 0x00007ffff4c78448 in eap_module_call (module=0x917140, handler=0xac6720) at src/modules/rlm_eap/eap.c:194
        rcode = 1
        request = 0xb8f650
        caller = 0x8dfc40 "eap"
#12 0x00007ffff4c78e30 in eap_method_select (inst=0x8e0500, handler=0xac6720) at src/modules/rlm_eap/eap.c:457
        type = 0xb705d0
        request = 0xb8f650
        next = PW_EAP_MD5
        vp = 0x907fffed6e67c8
#13 0x00007ffff4c77012 in mod_authenticate (instance=0x8e0500, request=0xb8f650) at src/modules/rlm_eap/rlm_eap.c:288
        inst = 0x8e0500
        handler = 0xac6720
        eap_packet = 0x0
        status = 1000
        rcode = RLM_MODULE_REJECT
#14 0x000000000042a5e3 in call_modsingle (component=MOD_AUTHENTICATE, sp=0xa7c690, request=0xb8f650) at src/main/modcall.c:302
        blocked = 0
        indent = 4
#15 0x000000000042ac95 in modcall_recurse (request=0xb8f650, component=MOD_AUTHENTICATE, depth=1, entry=0x7fffed6e7528, do_next_sibling=true) at src/main/modcall.c:578
---Type <return> to continue, or q <return> to quit--- 
        sp = 0xa7c690
        if_taken = false
        was_if = false
        c = 0xa7c690
        priority = -1
        result = RLM_MODULE_UNKNOWN
#16 0x000000000042a7a4 in modcall_child (request=0xb8f650, component=MOD_AUTHENTICATE, depth=1, entry=0x7fffed6e7510, c=0xa7c690, result=0x7fffed6e7404, do_next_sibling=true) at src/main/modcall.c:408
        next = 0x7fffed6e7528
#17 0x000000000042b6c4 in modcall_recurse (request=0xb8f650, component=MOD_AUTHENTICATE, depth=0, entry=0x7fffed6e7510, do_next_sibling=true) at src/main/modcall.c:789
        g = 0xa7c5a0
        if_taken = false
        was_if = false
        c = 0xa7c5a0
        priority = -1
        result = RLM_MODULE_UNKNOWN
#18 0x000000000042c434 in modcall (component=MOD_AUTHENTICATE, c=0xa7c5a0, request=0xb8f650) at src/main/modcall.c:1134
        stack = {{result = RLM_MODULE_REJECT, priority = 0, unwind = 0, c = 0xa7c5a0}, {result = RLM_MODULE_REJECT, priority = 0, unwind = 0, c = 0xa7c690}, {result = RLM_MODULE_REJECT, priority = 0, unwind = 0, 
            c = 0x0} <repeats 30 times>}
#19 0x0000000000427bf7 in indexed_modcall (comp=MOD_AUTHENTICATE, idx=4402280, request=0xb8f650) at src/main/modules.c:1028
        rcode = 32767
        list = 0xa7c5a0
        server = 0xa7c2d0
#20 0x0000000000429edb in process_authenticate (auth_type=4402280, request=0xb8f650) at src/main/modules.c:2168
No locals.
#21 0x0000000000410fe2 in rad_check_password (request=0xb8f650) at src/main/auth.c:252
        cursor = {first = 0xb8f698, found = 0xb91560, last = 0x0, current = 0x0, next = 0x0}
        auth_type_pair = 0x0
        auth_type = 4402280
        result = 0
        auth_type_count = 1
#22 0x000000000041190f in rad_authenticate (request=0xb8f650) at src/main/auth.c:571
        check_item = 0x3
        module_msg = 0x43e7c2
        tmp = 0x0
        result = 2
        autz_retry = 0 '\000'
        autz_type = 0
#23 0x000000000043f16c in request_running (request=0xb8f650, action=1) at src/main/process.c:1535
        __FUNCTION__ = "request_running"
#24 0x000000000043ad61 in request_handler_thread (arg=0xa8bc30) at src/main/threads.c:698
        self = 0xa8bc30
#25 0x00007ffff669ab50 in start_thread (arg=<optimized out>) at pthread_create.c:304
        __res = <optimized out>
        pd = 0x7fffed6e8700
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737176831744, 3436720120486105880, 140737327551008, 140737176832448, 140737354125376, 3, -3436681504407481576, -3436736421662092520}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 
              0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#26 0x00007ffff61adfbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#27 0x0000000000000000 in ?? ()

[alejandro-perez]

Thanks @alandekok.
Fix confirmed.