3.0.x HEAD crashing

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 18 17:45:38 CEST 2014 

So run under valgrind, I'm reliably seeing use-after-free errors like this:

Invalid read of size 4
    at 0x36AD402D84: talloc_get_name (talloc.c:349)
    by 0x36AD4057EA: _talloc_get_type_abort (talloc.c:1206)
    by 0x4E470EC: fr_verify_vp (debug.c:829)
    by 0x4E458DE: _fr_cursor_init (cursor.c:45)
    by 0x4E4758C: fr_verify_list (debug.c:916)
    by 0x4C2EB30: verify_request (util.c:1113)
    by 0x4354B8: request_running (process.c:1446)
    by 0x433250: request_timer (process.c:471)
    by 0x4E69364: fr_event_run (event.c:260)
    by 0x4E69C71: fr_event_loop (event.c:483)
    by 0x43D487: radius_event_process (process.c:4923)
    by 0x42A1A4: main (radiusd.c:565)
  Address 0x9ce99e0 is 64 bytes inside a block of size 160 free'd
    at 0x4A063F0: free (vg_replace_malloc.c:446)
    by 0x36AD402388: _talloc_free_internal (talloc.c:876)
    by 0x4E62661: pairfree (valuepair.c:171)
    by 0x4351F9: request_finish (process.c:1366)
    by 0x435617: request_running (process.c:1526)
    by 0x430D90: request_handler_thread (threads.c:685)
    by 0x379E4079D0: start_thread (pthread_create.c:301)
    by 0x379DCE8B7C: clone (clone.S:115)

Invalid read of size 8
    at 0x36AD402DBA: talloc_get_name (talloc.c:356)
    by 0x36AD4057EA: _talloc_get_type_abort (talloc.c:1206)
    by 0x4E470EC: fr_verify_vp (debug.c:829)
    by 0x4E458DE: _fr_cursor_init (cursor.c:45)
    by 0x4E4758C: fr_verify_list (debug.c:916)
    by 0x4C2EB30: verify_request (util.c:1113)
    by 0x4354B8: request_running (process.c:1446)
    by 0x433250: request_timer (process.c:471)
    by 0x4E69364: fr_event_run (event.c:260)
    by 0x4E69C71: fr_event_loop (event.c:483)
    by 0x43D487: radius_event_process (process.c:4923)
    by 0x42A1A4: main (radiusd.c:565)
  Address 0x9ce99d0 is 48 bytes inside a block of size 160 free'd
    at 0x4A063F0: free (vg_replace_malloc.c:446)
    by 0x36AD402388: _talloc_free_internal (talloc.c:876)
    by 0x4E62661: pairfree (valuepair.c:171)
    by 0x4351F9: request_finish (process.c:1366)
    by 0x435617: request_running (process.c:1526)
    by 0x430D90: request_handler_thread (threads.c:685)
    by 0x379E4079D0: start_thread (pthread_create.c:301)
    by 0x379DCE8B7C: clone (clone.S:115)

Sadly I'm blocked. I can't get "vgdb" to run properly (it complains with 
some bullshit error message about putpkt failing), so can't break into 
the process when the invalid read happens and inspect the memory 
contents, to know what attributes are triggering it.

If I run it under gdb, the errors seem to happen later, presumably 
because the invalid reads aren't handled in the same way. I'm then stuck 
in glibc/malloc and the twisty internals don't tell me a lot.

If anyone has any suggestions I'm all ears... :o(

More information about the Freeradius-Devel mailing list