3.0.x HEAD crashing

Phil Mayers p.mayers at imperial.ac.uk
Tue Jun 17 16:55:05 CEST 2014


On 17/06/14 15:33, Phil Mayers wrote:

> Will try and re-trigger under valgrind, though memcheck seems to report
> a *lot* for 3.0.x head - many alloc-without-free for regexp compilations
> at compile parse time and similar.

Ok, looks like use-after-free somewhere. Valgrind report is really 
really big, but it looks like the pertinent stuff is:

Thread 1:
Invalid read of size 4
    at 0x36AD402D84: talloc_get_name (talloc.c:349)
    by 0x36AD4057EA: _talloc_get_type_abort (talloc.c:1206)
    by 0x4E46F23: fr_verify_vp (debug.c:804)
    by 0x4E4587E: _fr_cursor_init (cursor.c:45)
    by 0x4E47242: fr_verify_list (debug.c:868)
    by 0x4C2EABB: verify_request (util.c:1105)
    by 0x4354BF: request_running (process.c:1446)
    by 0x433230: request_timer (process.c:471)
    by 0x4E691CC: fr_event_run (event.c:260)
    by 0x4E69AD9: fr_event_loop (event.c:483)
    by 0x43D4C2: radius_event_process (process.c:4923)
    by 0x42A184: main (radiusd.c:565)
  Address 0xa5f31d0 is 64 bytes inside a block of size 160 free'd
    at 0x4A063F0: free (vg_replace_malloc.c:446)
    by 0x36AD402388: _talloc_free_internal (talloc.c:876)
    by 0x4E623E1: pairfree (valuepair.c:171)
    by 0x4351F3: request_finish (process.c:1366)
    by 0x43561E: request_running (process.c:1526)
    by 0x430D70: request_handler_thread (threads.c:685)
    by 0x379E4079D0: start_thread (pthread_create.c:301)
    by 0x379DCE8B7C: clone (clone.S:115)

Invalid read of size 8
    at 0x36AD402DBA: talloc_get_name (talloc.c:356)
    by 0x36AD4057EA: _talloc_get_type_abort (talloc.c:1206)
    by 0x4E46F23: fr_verify_vp (debug.c:804)
    by 0x4E4587E: _fr_cursor_init (cursor.c:45)
    by 0x4E47242: fr_verify_list (debug.c:868)
    by 0x4C2EABB: verify_request (util.c:1105)
    by 0x4354BF: request_running (process.c:1446)
    by 0x433230: request_timer (process.c:471)
    by 0x4E691CC: fr_event_run (event.c:260)
    by 0x4E69AD9: fr_event_loop (event.c:483)
    by 0x43D4C2: radius_event_process (process.c:4923)
    by 0x42A184: main (radiusd.c:565)
  Address 0xa5f31c0 is 48 bytes inside a block of size 160 free'd
    at 0x4A063F0: free (vg_replace_malloc.c:446)
    by 0x36AD402388: _talloc_free_internal (talloc.c:876)
    by 0x4E623E1: pairfree (valuepair.c:171)
    by 0x4351F3: request_finish (process.c:1366)
    by 0x43561E: request_running (process.c:1526)
    by 0x430D70: request_handler_thread (threads.c:685)
    by 0x379E4079D0: start_thread (pthread_create.c:301)
    by 0x379DCE8B7C: clone (clone.S:115)

Sadly the corefile is unusable after dying under valgrind? Stack trace 
doesn't work.


More information about the Freeradius-Devel mailing list