talloc & threads in rlm_eap

Phil Mayers p.mayers at imperial.ac.uk
Mon Jun 23 23:17:22 CEST 2014


On 23/06/2014 21:41, Alan DeKok wrote:

>> /tmp/threadlog-26294-26326-src/main/process.c:1369
>
>    Hmm... OK.
>
>> /opt/fr3/sbin/radiusd[0x435799]
>> /opt/fr3/sbin/radiusd[0x433531]
>
>    That's unhelpful.

Yeah, annoying that. I can run addr2line on those so I've no idea why 
backtrace() can't resolve them, but can resolve shared libs. Sigh.

Anyway, they resolve to:

[root at radtest ~]# addr2line -e /opt/fr3/sbin/radiusd 0x433531
/home/nsg/freeradius-server/src/main/process.c:472

[root at radtest ~]# addr2line -e /opt/fr3/sbin/radiusd 0x435799
/home/nsg/freeradius-server/src/main/process.c:1450

>    Maybe.  The main thread should NOT free anything associated with the
> REQUEST if the child thread is still running.  There are a number of
> checks for that...

In that particular case it was an access-after-free; I think maybe 
(ironically) the request_running() VERIFY_REQUEST() call is walking the 
vps at the same time the child thread is running through them?

Are we (well, I) actually seeing access-after-free being triggered by 
the VERIFY_* stuff? Which wouldn't happen in a release build?

That said I'm not seeing the locking or lock-free primitives which would 
ensure a request isn't accessed from main & worker thread; what's to 
stop a child thread updating request->child_state at the same time 
request_process_timer reading it?



More information about the Freeradius-Devel mailing list