Double-free error with attributes of certain length and debug_request policy

[qnet-herwin]

After adding a dummy attribute of 116 bytes to my request and calling debug_request, I got a crash of freeradius. Changing the attribute to a length of 115 or 117 does not crash it. Tested with v3.0.x

The config (in post_auth, just after copying the session-state):

update request {
  &Tmp-String-0 := 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
}
debug_request

This generates a double-free error on my system:

Wed Nov 26 10:39:17 2014 : Info: (0)       Attributes matching "request:"
Wed Nov 26 10:39:17 2014 : Info: (0)         &request:User-Name = bob
Wed Nov 26 10:39:17 2014 : Info: (0)         Type   : string
Wed Nov 26 10:39:17 2014 : Info: (0)         Length : 3
Wed Nov 26 10:39:17 2014 : Debug: (0)           as integer    : 0
Wed Nov 26 10:39:17 2014 : Debug: (0)           as octets     : 0x626f62
Wed Nov 26 10:39:17 2014 : Debug: (0)           as byte       : 0
Wed Nov 26 10:39:17 2014 : Debug: (0)           as short      : 0
Wed Nov 26 10:39:17 2014 : Debug: (0)           as signed     : 0
Wed Nov 26 10:39:17 2014 : Debug: (0)           as uint8      : 0
Wed Nov 26 10:39:17 2014 : Debug: (0)           as uint16     : 0
Wed Nov 26 10:39:17 2014 : Debug: (0)           as uint32     : 0
Wed Nov 26 10:39:17 2014 : Debug: (0)           as int32      : 0
.....
Wed Nov 26 10:39:17 2014 : Info: (0)         &request:Tmp-String-0 := aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Wed Nov 26 10:39:17 2014 : Info: (0)         Type   : string
Wed Nov 26 10:39:17 2014 : Info: (0)         Length : 116
Wed Nov 26 10:39:17 2014 : Debug: (0)           as integer    : 0
** glibc detected *** /opt/freeradius/sbin/radiusd: double free or corruption (!prev): 0x0829d168 ***
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x70c91)[0xf7b80c91]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x724f8)[0xf7b824f8]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(cfree+0x6d)[0xf7b8563d]
/usr/lib/i386-linux-gnu/libtalloc.so.2(_talloc_free+0x15c)[0xf7d36eac]
======= Memory map: ========
08048000-080b1000 r-xp 00000000 fc:00 131720                             /opt/freeradius/sbin/radiusd
080b1000-080b4000 rwxp 00069000 fc:00 131720                             /opt/freeradius/sbin/radiusd
080b4000-082ba000 rwxp 00000000 00:00 0                                  [heap]
f7800000-f7821000 rwxp 00000000 00:00 0 
f7821000-f7900000 ---p 00000000 00:00 0 
f79c4000-f79e0000 r-xp 00000000 09:01 1021                               /lib/i386-linux-gnu/libgcc_s.so.1
f79e0000-f79e1000 rwxp 0001b000 09:01 1021                               /lib/i386-linux-gnu/libgcc_s.so.1
f79e1000-f79e5000 r-xp 00000000 09:01 4746                               /lib/i386-linux-gnu/i686/cmov/libnss_dns-2.13.so
f79e5000-f79e6000 r-xp 00004000 09:01 4746                               /lib/i386-linux-gnu/i686/cmov/libnss_dns-2.13.so
f79e6000-f79e7000 rwxp 00005000 09:01 4746                               /lib/i386-linux-gnu/i686/cmov/libnss_dns-2.13.so
f79f1000-f79fb000 r-xp 00000000 09:01 4747                               /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
f79fb000-f79fc000 r-xp 00009000 09:01 4747                               /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
f79fc000-f79fd000 rwxp 0000a000 09:01 4747                               /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
f7a06000-f7a07000 rwxp 00000000 00:00 0 
f7a07000-f7a09000 r-xp 00000000 fc:00 131661                             /opt/freeradius/lib/rlm_soh.so
f7a09000-f7a0a000 rwxp 00001000 fc:00 131661                             /opt/freeradius/lib/rlm_soh.so
f7a0a000-f7a0b000 r-xp 00000000 fc:00 131700                             /opt/freeradius/lib/rlm_utf8.so
f7a0b000-f7a0c000 rwxp 00000000 fc:00 131700                             /opt/freeradius/lib/rlm_utf8.so
f7a0c000-f7a0f000 r-xp 00000000 fc:00 131612                             /opt/freeradius/lib/rlm_logintime.so
f7a0f000-f7a10000 rwxp 00002000 fc:00 131612                             /opt/freeradius/lib/rlm_logintime.so
f7a10000-f7a17000 r-xp 00000000 fc:00 131712                             /opt/freeradius/lib/rlm_dhcp.so
f7a17000-f7a18000 rwxp 00006000 fc:00 131712                             /opt/freeradius/lib/rlm_dhcp.so
f7a18000-f7a1a000 r-xp 00000000 fc:00 132705                             /opt/freeradius/lib/rlm_chap.so
f7a1a000-f7a1b000 rwxp 00001000 fc:00 132705                             /opt/freeradius/lib/rlm_chap.so
f7a1b000-f7a1d000 r-xp 00000000 fc:00 131652                             /opt/freeradius/lib/rlm_replicate.so
f7a1d000-f7a1e000 rwxp 00001000 fc:00 131652                             /opt/freeradius/lib/rlm_replicate.so
f7a1e000-f7a21000 r-xp 00000000 fc:00 131537                             /opt/freeradius/lib/rlm_digest.so
f7a21000-f7a22000 rwxp 00002000 fc:00 131537                             /opt/freeradius/lib/rlm_digest.so
f7a22000-f7a28000 r-xp 00000000 fc:00 131586                             /opt/freeradius/lib/rlm_expr.so
f7a28000-f7a29000 rwxp 00006000 fc:00 131586                             /opt/freeradius/lib/rlm_expr.so
f7a29000-f7a2b000 r-xp 00000000 fc:00 131520                             /opt/freeradius/lib/rlm_cache_rbtree.so
f7a2b000-f7a2c000 rwxp 00001000 fc:00 131520                             /opt/freeradius/lib/rlm_cache_rbtree.so
f7a2c000-f7a30000 r-xp 00000000 fc:00 131514                             /opt/freeradius/lib/rlm_cache.so
f7a30000-f7a31000 rwxp 00003000 fc:00 131514                             /opt/freeradius/lib/rlm_cache.so
f7a31000-f7a34000 r-xp 00000000 fc:00 131628                             /opt/freeradius/lib/rlm_passwd.so
f7a34000-f7a35000 rwxp 00002000 fc:00 131628                             /opt/freeradius/lib/rlm_passwd.so
f7a35000-f7a37000 r-xp 00000000 fc:00 131510                             /opt/freeradius/lib/rlm_attr_filter.so
f7a37000-f7a38000 rwxp 00001000 fc:00 131510                             /opt/freeradius/lib/rlm_attr_filter.so
f7a38000-f7a3a000 r-xp 00000000 fc:00 131583                             /opt/freeradius/lib/rlm_expiration.so
f7a3a000-f7a3b000 rwxp 00001000 fc:00 131583                             /opt/freeradius/lib/rlm_expiration.so
f7a3b000-f7a44000 r-xp 00000000 fc:00 131615                             /opt/freeradius/lib/rlm_mschap.so
f7a44000-f7a45000 rwxp 00009000 fc:00 131615                             /opt/freeradius/lib/rlm_mschap.so
f7a45000-f7a47000 r-xp 00000000 fc:00 131697                             /opt/freeradius/lib/rlm_unpack.so
f7a47000-f7a48000 rwxp 00001000 fc:00 131697                             /opt/freeradius/lib/rlm_unpack.so
f7a48000-f7a4b000 r-xp 00000000 fc:00 131589                             /opt/freeradius/lib/rlm_files.so
f7a4b000-f7a4c000 rwxp 00002000 fc:00 131589                             /opt/freeradius/lib/rlm_files.so
f7a4c000-f7a4f000 r-xp 00000000 fc:00 131694                             /opt/freeradius/lib/rlm_unix.so
f7a4f000-f7a50000 rwxp 00002000 fc:00 131694                             /opt/freeradius/lib/rlm_unix.so
f7a50000-f7a55000 r-xp 00000000 fc:00 131625                             /opt/freeradius/lib/rlm_pap.so
f7a55000-f7a56000 rwxp 00004000 fc:00 131625                             /opt/freeradius/lib/rlm_pap.so
f7a56000-f7a58000 r-xp 00000000 fc:00 131609                             /opt/freeradius/lib/rlm_linelog.so
f7a58000-f7a59000 rwxp 00001000 fc:00 131609                             /opt/freeradius/lib/rlm_linelog.so
f7a59000-f7a5a000 r-xp 00000000 fc:00 131613                             /opt/freeradius/lib/rlm_always.so
f7a5a000-f7a5b000 rwxp 00001000 fc:00 131613                             /opt/freeradius/lib/rlm_always.so
f7a5b000-f7a5c000 r-xp 00000000 fc:00 131540                             /opt/freeradius/lib/rlm_dynamic_clients.so
f7a5c000-f7a5d000 rwxp 00001000 fc:00 131540                             /opt/freeradius/lib/rlm_dynamic_clients.so
f7a5d000-f7a60000 r-xp 00000000 fc:00 131634                             /opt/freeradius/lib/rlm_preprocess.so
f7a60000-f7a61000 rwxp 00002000 fc:00 131634                             /opt/freeradius/lib/rlm_preprocess.so
f7a61000-f7a63000 r-xp 00000000 fc:00 131580                             /opt/freeradius/lib/rlm_exec.so
f7a63000-f7a64000 rwxp 00002000 fc:00 131580                             /opt/freeradius/lib/rlm_exec.so
f7a64000-f7a67000 r-xp 00000000 fc:00 131640                             /opt/freeradius/lib/rlm_radutmp.so
f7a67000-f7a68000 rwxp 00003000 fc:00 131640                             /opt/freeradius/lib/rlm_radutmp.so
f7a68000-f7a6b000 r-xp 00000000 fc:00 131649                             /opt/freeradius/lib/rlm_realm.so
Program received signal SIGABRT, Aborted.
0xf7fdf430 in __kernel_vsyscall ()
(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7b3a661 in raise () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#2  0xf7b3da92 in abort () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#3  0xf7b76ba5 in ?? () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#4  0xf7b80c91 in ?? () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#5  0xf7b824f8 in ?? () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#6  0xf7b8563d in free () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
#7  0xf7d36eac in _talloc_free () from /usr/lib/i386-linux-gnu/libtalloc.so.2
#8  0xf7f81bd8 in ascend_parse_filter (out=0x829d090, value=0x829c768 'a' <repeats 116 times>, len=116) at src/lib/filters.c:983
#9  0xf7f991ce in value_data_from_str (ctx=0x829d090, dst=0x829d090, src_type=0xffffbc68, src_enumv=0x0, src=0x829c768 'a' <repeats 116 times>, src_len=116) at src/lib/value.c:580
#10 0xf7f99d1e in value_data_cast (ctx=0x829d090, dst=0x829d090, dst_type=PW_TYPE_ABINARY, dst_enumv=0x0, src_type=PW_TYPE_STRING, src_enumv=0x81e8548, src=0x829c714, src_len=116) at src/lib/value.c:982
#11 0xf7fcbe20 in xlat_debug_attr (instance=0x0, request=0x829bfc8, fmt=0x829c818 "request:", out=0x829c858 "", outlen=2048) at src/main/xlat.c:396
#12 0xf7fcfa4e in xlat_aprint (ctx=0x829bfc8, request=0x829bfc8, node=0x82921b0, escape=0, escape_ctx=0x0, lvl=0) at src/main/xlat.c:2106
#13 0xf7fcfcc0 in xlat_process (out=0xffffbea8, request=0x829bfc8, head=0x82921b0, escape=0, escape_ctx=0x0) at src/main/xlat.c:2184
#14 0xf7fcffa7 in xlat_expand_struct (out=0xffffbf6c, outlen=0, request=0x829bfc8, node=0x82921b0, escape=0, escape_ctx=0x0) at src/main/xlat.c:2256
#15 0xf7fd03d5 in radius_axlat_struct (out=0xffffbf6c, request=0x829bfc8, xlat=0x82921b0, escape=0, ctx=0x0) at src/main/xlat.c:2380
#16 0xf7fbb175 in radius_expand_tmpl (out=0xffffbf6c, request=0x829bfc8, vpt=0x8241278) at src/main/evaluate.c:119
#17 0xf7fbc488 in radius_evaluate_map (request=0x829bfc8, modreturn=10, depth=0, c=0x82410e8) at src/main/evaluate.c:686
#18 0xf7fbc5bf in radius_evaluate_cond (request=0x829bfc8, modreturn=10, depth=0, c=0x82410e8) at src/main/evaluate.c:746
#19 0x080694d1 in modcall_recurse (request=0x829bfc8, component=RLM_COMPONENT_POST_AUTH, depth=2, entry=0xffffcfb0) at src/main/modcall.c:483
#20 0x0806934f in modcall_child (request=0x829bfc8, component=RLM_COMPONENT_POST_AUTH, depth=2, entry=0xffffcfa0, c=0x828c380, result=0xffffc9bc) at src/main/modcall.c:414
#21 0x08069ec4 in modcall_recurse (request=0x829bfc8, component=RLM_COMPONENT_POST_AUTH, depth=1, entry=0xffffcfa0) at src/main/modcall.c:783
#22 0x0806934f in modcall_child (request=0x829bfc8, component=RLM_COMPONENT_POST_AUTH, depth=1, entry=0xffffcf90, c=0x828be00, result=0xffffcefc) at src/main/modcall.c:414
#23 0x08069ec4 in modcall_recurse (request=0x829bfc8, component=RLM_COMPONENT_POST_AUTH, depth=0, entry=0xffffcf90) at src/main/modcall.c:783
#24 0x0806a92c in modcall (component=RLM_COMPONENT_POST_AUTH, c=0x828bac0, request=0x829bfc8) at src/main/modcall.c:1124
#25 0x08066b20 in indexed_modcall (comp=RLM_COMPONENT_POST_AUTH, idx=0, request=0x829bfc8) at src/main/modules.c:891
#26 0x08068b94 in process_post_auth (postauth_type=0, request=0x829bfc8) at src/main/modules.c:2005
#27 0x08054122 in rad_postauth (request=0x829bfc8) at src/main/auth.c:306
#28 0x0807be9f in request_finish (request=0x829bfc8, action=1) at src/main/process.c:1351
#29 0x0807c505 in request_running (request=0x829bfc8, action=1) at src/main/process.c:1617
#30 0x0807b4e6 in request_queue_or_run (request=0x829bfc8, process=0x807c380 <request_running>) at src/main/process.c:1083
#31 0x0807cc7b in request_receive (listener=0x829a030, packet=0x829be98, client=0x822db10, fun=0x80541c7 <rad_authenticate>) at src/main/process.c:1805
#32 0x0805b39b in auth_socket_recv (listener=0x829a030) at src/main/listen.c:1513
#33 0x08082ae3 in event_socket_handler (xel=0x822ef70, fd=12, ctx=0x829a030) at src/main/process.c:4261
#34 0xf7f9c8c1 in fr_event_loop (el=0x822ef70) at src/lib/event.c:622
#35 0x080845df in radius_event_process () at src/main/process.c:5171
#36 0x08070467 in main (argc=2, argv=0xffffd784) at src/main/radiusd.c:574

I looked quickly at the code, but I don't really get how this could trigger this error, it might be something in libtalloc.

System information: Debian stable (wheezy), 32-bit, up-to-date, libtalloc from wheezy-backports (version 2.1.1-1~bpo70+1)

[qnet-herwin]

The result actually depends on the debug level. Running with -xxx or lower works fine, -xxxx crashes. Running multi-threaded or single-threaded doesn't make a difference.

[alandekok]

The issue is with the debug_request code. It plays fast and loose with data. This isn't something people will run into in normal operation.

[arr2036]

Yeah, it's not critical, just wanted to fix it so asked @anet-herwin to open an issue to track. It's no longer playing that fast and loose either, it's using the same cast function as the rest of the code (instead of calling the RADIUS decoder).

[qnet-herwin]

This has been fixed in PR #844, so this issue can be closed now.