FR 3.0.8 Segfault libfreeradius-radius.so / talloc: access after free error - first free may be at src/main/process.c:544 #980

Closed
Schnappatmer opened this Issue Apr 27, 2015 · 4 comments

Projects

None yet

2 participants

@Schnappatmer

After a few incoming radsec requests FR 3.0.8 (also current 3.0.9 from GIT) crashes.
FR 3.0.7 runs flawlessly.

Running Ubuntu 14.04 LTS. A crash dump is available.

(13) Received Access-Request Id 222 from 147.174.47.134:51674 to 0.0.0.0:2083 length 116
(13)   User-Name = '734712@uni-wuppertal.de'
(13)   NAS-IP-Address = 147.6.247.5
(13)   NAS-Identifier = 'C-13-WISM1'
(13)   EAP-Message = 0x0202001c0137333339313240756e692d77757070657274616c2e6465
(13)   Message-Authenticator = 0x314b3b1bce4adb344f00f510da6d162b
(13)   Proxy-State = 0x323134
(13) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(13)   authorize {
(13)     policy filter_username {
(13)       if (!User-Name) {
(13)       if (!User-Name)  -> FALSE
(13)       if (User-Name =~ / /) {
(13)       if (User-Name =~ / /)  -> FALSE
(13)       if (User-Name =~ /@.*@/ ) {
(13)       if (User-Name =~ /@.*@/ )  -> FALSE
(13)       if (User-Name =~ /\\.\\./ ) {
(13)       if (User-Name =~ /\\.\\./ )  -> FALSE
(13)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
(13)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(13)       if (User-Name =~ /\\.$/)  {
(13)       if (User-Name =~ /\\.$/)   -> FALSE
(13)       if (User-Name =~ /@\\./)  {
(13)       if (User-Name =~ /@\\./)   -> FALSE
(13)     } # policy filter_username = notfound
(13)     if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) ) {
(13)     if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) )  -> FALSE
(13)     [preprocess] = ok
(13) suffix: Checking for suffix after "@"
(13) suffix: Looking up realm "uni-wuppertal.de" for User-Name = "734712@uni-wuppertal.de"
(13) suffix: Found realm "uni-wuppertal.de"
(13) suffix: Adding Stripped-User-Name = "734712"
(13) suffix: Adding Realm = "uni-wuppertal.de"
(13) suffix: Authentication realm is LOCAL
(13)     [suffix] = ok
(13) eap: Peer sent code Response (2) ID 2 length 28
(13) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(13)     [eap] = ok
(13)   } # authorize = ok
(13) Found Auth-Type = EAP
(13) # Executing group from file /etc/freeradius/sites-enabled/default
(13)   authenticate {
(13) eap: Peer sent method Identity (1)
(13) eap: Calling eap_peap to process EAP data
(13) eap_peap: Initiate
(13) eap_peap: Start returned 1
(13) eap: EAP session adding &reply:State = 0xb14f161bb14c0fca
(13)     [eap] = handled
(13)   } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found.  Ignoring.
(13) # Executing group from file /etc/freeradius/sites-enabled/default
(13) Sent Access-Challenge Id 222 from 0.0.0.0:2083 to 147.174.47.134:51674 length 0
(13)   EAP-Message = 0x010300061920
(13)   Message-Authenticator = 0x00000000000000000000000000000000
(13)   State = 0xb14f161bb14c0fca3538d9ce62c192a2
(13)   Proxy-State = 0x323134
(13) Finished request
Thread 2 waiting to be assigned a request
talloc: access after free error - first free may be at src/main/process.c:544

Bad talloc magic value - access after free

talloc abort: Bad talloc magic value - access after free

Backtrace of last 16 frames:
/usr/lib/freeradius/libfreeradius-radius.so(+0xc678)[0x7ff9eb264678]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x1b5f)[0x7ff9eaa14b5f]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_get_name+0x3f)[0x7ff9eaa155ff]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_get_type_abort+0x1d)[0x7ff9eaa185dd]
/usr/lib/freeradius/libfreeradius-radius.so(fr_pair_verify_vp+0x85)[0x7ff9eb275598]
/usr/lib/freeradius/libfreeradius-radius.so(_fr_cursor_init+0x67)[0x7ff9eb262f30]
/usr/lib/freeradius/libfreeradius-radius.so(paircopy+0x3e)[0x7ff9eb272e80]
freeradius(tls_application_data+0x29c)[0x456ef2]
freeradius[0x457d7a]
freeradius(dual_tls_recv+0x51)[0x4583de]
freeradius[0x44582c]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x63b)[0x7ff9eb28cd18]
freeradius(radius_event_process+0x26)[0x44763f]
freeradius(main+0xc78)[0x431751]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ff9ea014ec5]
freeradius[0x40e129]
Aborted (core dumped)
@arr2036
Member
arr2036 commented Apr 27, 2015

Can you provide a gdb backtrace. Instructions here http://wiki.freeradius.org/project/bug-reports

@Schnappatmer
talloc: access after free error - first free may be at src/main/process.c:544

Bad talloc magic value - access after free

talloc abort: Bad talloc magic value - access after free

Backtrace of last 16 frames:
/usr/lib/freeradius/libfreeradius-radius.so(+0xc678)[0x7ffff795f678]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x1b5f)[0x7ffff710fb5f]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_get_name+0x3f)[0x7ffff71105ff]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_get_type_abort+0x1d)[0x7ffff71135dd]
/usr/lib/freeradius/libfreeradius-radius.so(fr_pair_verify_vp+0x85)[0x7ffff7970598]
/usr/lib/freeradius/libfreeradius-radius.so(_fr_cursor_init+0x67)[0x7ffff795df30]
/usr/lib/freeradius/libfreeradius-radius.so(paircopy+0x3e)[0x7ffff796de80]
/usr/sbin/freeradius(tls_application_data+0x29c)[0x456ef2]
/usr/sbin/freeradius[0x457d7a]
/usr/sbin/freeradius(dual_tls_recv+0x51)[0x4583de]
/usr/sbin/freeradius[0x44582c]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x63b)[0x7ffff7987d18]
/usr/sbin/freeradius(radius_event_process+0x26)[0x44763f]
/usr/sbin/freeradius(main+0xc78)[0x431751]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff670fec5]
/usr/sbin/freeradius[0x40e129]

Program received signal SIGABRT, Aborted.
0x00007ffff6724cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6724cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff67280d8 in __GI_abort () at abort.c:89
#2  0x00007ffff795f6c1 in ?? () from /usr/lib/freeradius/libfreeradius-radius.so
#3  0x00007ffff710fb5f in ?? () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#4  0x00007ffff71105ff in talloc_get_name () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#5  0x00007ffff71135dd in _talloc_get_type_abort () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#6  0x00007ffff7970598 in fr_pair_verify_vp () from /usr/lib/freeradius/libfreeradius-radius.so
#7  0x00007ffff795df30 in _fr_cursor_init () from /usr/lib/freeradius/libfreeradius-radius.so
#8  0x00007ffff796de80 in paircopy () from /usr/lib/freeradius/libfreeradius-radius.so
#9  0x0000000000456ef2 in tls_application_data ()
#10 0x0000000000457d7a in ?? ()
#11 0x00000000004583de in dual_tls_recv ()
#12 0x000000000044582c in ?? ()
#13 0x00007ffff7987d18 in fr_event_loop () from /usr/lib/freeradius/libfreeradius-radius.so
#14 0x000000000044763f in radius_event_process ()
#15 0x0000000000431751 in main ()
@arr2036
Member
arr2036 commented Apr 27, 2015

On 27 Apr 2015, at 13:12, Schnappatmer notifications@github.com wrote:

talloc: access after free error - first free may be at src/main/process.c:544

Can you read through the document I sent you, follow the instructions, then provide a gdb backtrace?

The server needs to be built with debugging symbols and optimisation disabled to get anything useful.

Arran Cudbard-Bell a.cudbardb@freeradius.org
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

@Schnappatmer

Sorry, I forgot to install the required debug package.

(96) Received Access-Request Id 198 from 147.174.47.134:51006 to 0.0.0.0:2083 length 195
(96)   NAS-Port-Id = 'AP280/1'
(96)   Calling-Station-Id = '90-FD-61-84-CD-AD'
(96)   Called-Station-Id = '00-0C-0E-1E-F2-84:eduroam'
(96)   Service-Type = Framed-User
(96)   EAP-Message = 0x0203001d013134323735323040756e692d77757070657274616c2e6465
(96)   User-Name = '1424720@uni-wuppertal.de'
(96)   NAS-Port = 6969
(96)   NAS-Port-Type = Wireless-802.11
(96)   NAS-IP-Address = 172.19.47.14
(96)   NAS-Identifier = 'Juniper'
(96)   Message-Authenticator = 0x5a6429a0adafb981d5ad04f9893d3996
(96)   Default-TTL = 19
(96) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(96) # Executing group from file /etc/freeradius/sites-enabled/default
(96) eap: EAP session adding &reply:State = 0x896f69ab896b70b1
(96) # Executing group from file /etc/freeradius/sites-enabled/default
(96) Sent Access-Challenge Id 198 from 0.0.0.0:2083 to 147.174.47.134:51006 length 0
(96)   EAP-Message = 0x010400061920
(96)   Message-Authenticator = 0x00000000000000000000000000000000
(96)   State = 0x896f69ab896b70b1f1979874fa4a4b74
Waking up in 2.0 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 0.2 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 0.2 seconds.
Waking up in 1.0 seconds.
Waking up in 565.3 seconds.
talloc: access after free error - first free may be at src/main/process.c:544

Bad talloc magic value - access after free

talloc abort: Bad talloc magic value - access after free

Backtrace of last 16 frames:
/usr/lib/freeradius/libfreeradius-radius.so(+0xc678)[0x7ffff795f678]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x1b5f)[0x7ffff710fb5f]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_get_name+0x3f)[0x7ffff71105ff]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_get_type_abort+0x1d)[0x7ffff71135dd]
/usr/lib/freeradius/libfreeradius-radius.so(fr_pair_verify_vp+0x85)[0x7ffff7970598]
/usr/lib/freeradius/libfreeradius-radius.so(_fr_cursor_init+0x67)[0x7ffff795df30]
/usr/lib/freeradius/libfreeradius-radius.so(paircopy+0x3e)[0x7ffff796de80]
/usr/sbin/freeradius(tls_application_data+0x29c)[0x456ef2]
/usr/sbin/freeradius[0x457d7a]
/usr/sbin/freeradius(dual_tls_recv+0x51)[0x4583de]
/usr/sbin/freeradius[0x44582c]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x63b)[0x7ffff7987d18]
/usr/sbin/freeradius(radius_event_process+0x26)[0x44763f]
/usr/sbin/freeradius(main+0xc78)[0x431751]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff670fec5]
/usr/sbin/freeradius[0x40e129]

Program received signal SIGABRT, Aborted.
0x00007ffff6724cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6724cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff67280d8 in __GI_abort () at abort.c:89
#2  0x00007ffff795f6c1 in _fr_talloc_fault_simple (reason=0x7ffff7116c60 "Bad talloc magic value - access after free") at src/lib/debug.c:778
#3  0x00007ffff710fb5f in ?? () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#4  0x00007ffff71105ff in talloc_get_name () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#5  0x00007ffff71135dd in _talloc_get_type_abort () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#6  0x00007ffff7970598 in fr_pair_verify_vp (file=0x7ffff7989270 "src/lib/cursor.c", line=78, vp=0x7fffdc0136c0) at src/lib/pair.c:2109
#7  0x00007ffff795df30 in _fr_cursor_init (cursor=0x7fffffffe100, vp=0x7fffffffe0e0) at src/lib/cursor.c:78
#8  0x00007ffff796de80 in paircopy (ctx=0xa24050, from=0x7fffdc0136c0) at src/lib/pair.c:689
#9  0x0000000000456ef2 in tls_application_data (ssn=0x9f6340, request=0x9f3570) at src/main/tls.c:3070
#10 0x0000000000457d7a in tls_socket_recv (listener=0x9ef5c0) at src/main/tls_listen.c:254
#11 0x00000000004583de in dual_tls_recv (listener=0x9ef5c0) at src/main/tls_listen.c:345
#12 0x000000000044582c in event_socket_handler (xel=0x8fe1f0, fd=13, ctx=0x9ef5c0) at src/main/process.c:4432
#13 0x00007ffff7987d18 in fr_event_loop (el=0x8fe1f0) at src/lib/event.c:642
#14 0x000000000044763f in radius_event_process () at src/main/process.c:5379
#15 0x0000000000431751 in main (argc=3, argv=0x7fffffffe718) at src/main/radiusd.c:581
@alandekok alandekok closed this in c75297b Apr 27, 2015
@jpereira jpereira added a commit to jpereira/freeradius-server that referenced this issue Apr 30, 2015
@alandekok @jpereira alandekok + jpereira Put certs into correct container. Fixes #980 5672dd2
@jpereira jpereira added a commit to jpereira/freeradius-server that referenced this issue May 5, 2015
@alandekok @jpereira alandekok + jpereira Put certs into correct container. Fixes #980 9810390
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment