-
Notifications
You must be signed in to change notification settings - Fork 1.1k
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double-free error with attributes of certain length and debug_request policy #843
Comments
The result actually depends on the debug level. Running with |
The issue is with the debug_request code. It plays fast and loose with data. This isn't something people will run into in normal operation. |
Yeah, it's not critical, just wanted to fix it so asked @anet-herwin to open an issue to track. It's no longer playing that fast and loose either, it's using the same cast function as the rest of the code (instead of calling the RADIUS decoder). |
This fixes the bug described in #843
This has been fixed in PR #844, so this issue can be closed now. |
After adding a dummy attribute of 116 bytes to my request and calling
debug_request
, I got a crash of freeradius. Changing the attribute to a length of 115 or 117 does not crash it. Tested with v3.0.xThe config (in post_auth, just after copying the session-state):
This generates a double-free error on my system:
I looked quickly at the code, but I don't really get how this could trigger this error, it might be something in libtalloc.
System information: Debian stable (wheezy), 32-bit, up-to-date, libtalloc from wheezy-backports (version 2.1.1-1~bpo70+1)
The text was updated successfully, but these errors were encountered: