segfault in presufcmp()

Jakob Hirsch jh at plonk.de
Wed Nov 18 13:54:22 CET 2009


Hi,

comparing Suffix or Prefix without it being set lets the server crash
(see backtrace below). This is easily reproducable with this:


authorize {
	# also happens with Prefix
	if (Suffix == "blub") {
	}
...


This happens on x86 and x64, with 2.1.7 as well as git stable. I guess
there should be a check somewhere, maybe for req==NULL in presufcmp(),
but I'm not sure. The obvious work around is setting these attributes
(with update request) to empty strings or checking them like "if (Prefix
&& Prefix == ...)".

Besides that, I'm surprised that there is special handling for Prefix
and Suffix. I thought they are just some attributes I can use as I wish.
I parse User-Name with a regex and set them accordingly with %{1} etc.


> rad_recv: Access-Request packet from host 127.0.0.1 port 54511, id=178, length=67
> 	User-Name = "does_not_matter"
> 	User-Password = "b"
> 	NAS-IP-Address = 172.17.13.190
> 	NAS-Port = 1
> +- entering group authorize {...}
> ++? if (Suffix == "blub")
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00000035b3c7f541 in strlen () from /lib64/libc.so.6
> (gdb) bt
> #0  0x00000035b3c7f541 in strlen () from /lib64/libc.so.6
> #1  0x00007ffff750b790 in presufcmp (instance=0x0, req=0x7e5a10, request=0x0, check=0x7e6120, check_pairs=0x0, reply_pairs=0x0) at paircmp.c:134
> #2  0x00000000004273a3 in radius_callback_compare (req=0x7e5a10, request=0x0, check=0x7e6120, check_pairs=0x0, reply_pairs=0x0) at valuepair.c:270
> #3  0x0000000000438260 in radius_do_cmp (request=0x7e5a10, presult=0x7fffffffc280, lt=T_BARE_WORD, pleft=0x7fffffffbe70 "Suffix", token=T_OP_CMP_EQ, rt=T_DOUBLE_QUOTED_STRING, 
>     pright=0x7fffffffba70 "blub", cflags=0, modreturn=6) at evaluate.c:360
> #4  0x0000000000439385 in radius_evaluate_condition (request=0x7e5a10, modreturn=6, depth=1, ptr=0x7fffffffc330, evaluate_it=1, presult=0x7fffffffd360) at evaluate.c:833
> #5  0x0000000000438c61 in radius_evaluate_condition (request=0x7e5a10, modreturn=6, depth=0, ptr=0x7fffffffd810, evaluate_it=1, presult=0x7fffffffd81c) at evaluate.c:614
> #6  0x000000000041eb9d in modcall (component=1, c=0x780500, request=0x7e5a10) at modcall.c:432
> #7  0x000000000041cb89 in indexed_modcall (comp=1, idx=0, request=0x7e5a10) at modules.c:691
> #8  0x000000000041e035 in module_authorize (autz_type=0, request=0x7e5a10) at modules.c:1453
> #9  0x0000000000409421 in rad_authenticate (request=0x7e5a10) at auth.c:565
> #10 0x000000000043327e in radius_handle_request (request=0x7e5a10, fun=0x409226 <rad_authenticate>) at event.c:3693
> #11 0x00000000004258e1 in thread_pool_addrequest (request=0x7e5a10, fun=0x409226 <rad_authenticate>) at threads.c:841
> #12 0x0000000000432850 in event_socket_handler (xel=0x7df710, fd=22, ctx=0x7e57c0) at event.c:3317
> #13 0x00007ffff7df36d3 in fr_event_loop (el=0x7df710) at event.c:400
> #14 0x0000000000433189 in radius_event_process () at event.c:3679
> #15 0x00000000004223e9 in main (argc=2, argv=0x7fffffffe588) at radiusd.c:398


Regards
Jakob



More information about the Freeradius-Devel mailing list