(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Michel Verhagen mike at guruce.com
Fri Jun 18 03:22:21 CEST 2021


I'm in the process of capturing the Wireshark traces with TLS 
decryption, but I just noticed that Freeradius crashes (or terminated) 
after a while and thought this would be an interesting find:

Ready to process requests
(334) Received Access-Request Id 210 from 192.168.1.2:1987 to 
192.168.1.4:1812 length 108
(334)   User-Name = "anonymous"
(334)   NAS-Port = 24
(334)   NAS-Port-Id = "24"
(334)   Calling-Station-Id = "00-19-B8-01-79-D9"
(334)   EAP-Message = 0x026a000e01616e6f6e796d6f7573
(334)   NAS-Port-Type = Ethernet
(334)   Message-Authenticator = 0xdfcd2705ee72509eecf6c3e600dcc672
(334)   NAS-IP-Address = 192.168.1.2
(334) # Executing section authorize from file 
/usr/local/etc/raddb/sites-enabled/default
(334)   authorize {
(334)     policy filter_username {
(334)       if (&User-Name) {
(334)       if (&User-Name)  -> TRUE
(334)       if (&User-Name)  {
(334)         if (&User-Name =~ / /) {
(334)         if (&User-Name =~ / /)  -> FALSE
(334)         if (&User-Name =~ /@[^@]*@/ ) {
(334)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(334)         if (&User-Name =~ /\.\./ ) {
(334)         if (&User-Name =~ /\.\./ )  -> FALSE
(334)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(334)         if ((&User-Name =~ /@/) && (&User-Name !~ 
/@(.+)\.(.+)$/))   -> FALSE
(334)         if (&User-Name =~ /\.$/)  {
(334)         if (&User-Name =~ /\.$/)   -> FALSE
(334)         if (&User-Name =~ /@\./)  {
(334)         if (&User-Name =~ /@\./)   -> FALSE
(334)       } # if (&User-Name)  = notfound
(334)     } # policy filter_username = notfound
(334)     [preprocess] = ok
(334)     [chap] = noop
(334)     [mschap] = noop
(334)     [digest] = noop
(334) suffix: Checking for suffix after "@"
(334) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(334) suffix: No such realm "NULL"
(334)     [suffix] = noop
(334) eap: Peer sent EAP Response (code 2) ID 106 length 14
(334) eap: EAP-Identity reply, returning 'ok' so we can short-circuit 
the rest of authorize
(334)     [eap] = ok
(334)   } # authorize = ok
(334) Found Auth-Type = eap
(334) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(334)   authenticate {
(334) eap: Peer sent packet with method EAP Identity (1)
(334) eap: Calling submodule eap_tls to process data
(334) eap_tls: (TLS) Initiating new session
(334) eap_tls: (TLS) Setting verify mode to require certificate from client
(334) eap: Sending EAP Request (code 1) ID 107 length 6
(334) eap: EAP session adding &reply:State = 0x5a501c065a3b1144
(334)     [eap] = handled
(334)   } # authenticate = handled
(334) Using Post-Auth-Type Challenge
(334) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(334)   Challenge { ... } # empty sub-section is ignored
(334) session-state: Saving cached attributes
(334)   Framed-MTU = 994
(334) Sent Access-Challenge Id 210 from 192.168.1.4:1812 to 
192.168.1.2:1987 length 0
(334)   EAP-Message = 0x016b00060d20
(334)   Message-Authenticator = 0x00000000000000000000000000000000
(334)   State = 0x5a501c065a3b114455a3bcc90888424a
(334) Finished request
Waking up in 4.9 seconds.
(335) Received Access-Request Id 65 from 192.168.1.2:1988 to 
192.168.1.4:1812 length 320
(335)   User-Name = "anonymous"
(335)   NAS-Port = 24
(335)   NAS-Port-Id = "24"
(335)   Calling-Station-Id = "00-19-B8-01-79-D9"
(335)   EAP-Message = 
0x026b00d00d0016030300c5010000c1030349805d93404b82da96e2c4d11d21164899a0e804068aa661c4d4e66508f59a72000066c02cc02bc030c02f009f009e009d009cc02ec02dc032c031c027c023c029c025c028c024c02ac026c00ac005c009c004c007c002c008c003c014c00fc013c00ec011c00cc012c00d006b0067003900330016003d003c0035002f00050004000a00fb00fc00fd01000032000d0012001006030503040302030601050104010201000b00020100000a000e000c00190018001700150013001000170000
(335)   State = 0x5a501c065a3b114455a3bcc90888424a
(335)   NAS-Port-Type = Ethernet
(335)   Message-Authenticator = 0x34e230e65cd0d63361bc0d3e17314e00
(335)   NAS-IP-Address = 192.168.1.2
talloc: access after free error - first free may be at src/main/state.c:364

Bad talloc magic value - access after free

talloc abort: Bad talloc magic value - access after free

Backtrace of last 4294967295 frames:
Abort




More information about the Freeradius-Devel mailing list