Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)

Brian Julin BJulin at clarku.edu
Wed Aug 7 19:35:47 CEST 2013 

I finally got around to trying some RC code (the release_branch_3.0.0 on github) on our
production configurations, after a bit of massaging got them looking like they were working,
but not so much the one that re-proxies the inner tunnel contents to an internal
server after unwrapping EAP-PEAP:

  peap {
    default_eap_type = mschapv2
    proxy_tunneled_request_as_eap = yes
    copy_request_to_tunnel = no
    use_tunneled_reply = yes
    tls = eduroam-eap-tls
  }

Any request that tries to go to the proxy causes this to happen:

Wed Aug  7 11:57:35 2013 : Debug: (5)   - entering if ("%{FreeRADIUS-Proxied-To}" == 127.0.0.1)  {...}
Wed Aug  7 11:57:35 2013 : Debug: (5)    update control {
Wed Aug  7 11:57:35 2013 : Debug: (5)           Proxy-To-Realm := "idpi"

...

Wed Aug  7 11:57:35 2013 : Debug: (5)    } # update control = ok
Wed Aug  7 11:57:35 2013 : Debug: (5)   - if ("%{FreeRADIUS-Proxied-To}" == 127.0.0.1)  returns ok
Wed Aug  7 11:57:35 2013 : Debug: (5)    ... skipping else for request 5: Preceding "if" was taken
} # server eduroam_idp
Wed Aug  7 11:57:35 2013 : Debug: (5) eap_peap : Got tunneled reply code 0
Wed Aug  7 11:57:35 2013 : Debug:   PEAP: Tunneled authentication will be proxied to idpi
Wed Aug  7 11:57:35 2013 : Info: talloc: access after free error - first free may be at src/main/util.c:230
Wed Aug  7 11:57:35 2013 : Info: Bad talloc magic value - access after free

... I don't know if this is of any use, being so far removed from the free():

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff5eb4700 (LWP 27579)]
0x0000003fe54328a5 in raise () from /lib64/libc.so.6

...

(gdb) bt
#0  0x0000003fe54328a5 in raise () from /lib64/libc.so.6
#1  0x0000003fe5434085 in abort () from /lib64/libc.so.6
#2  0x00007ffff7782c3c in ?? () from /usr/lib64/libtalloc.so.2
#3  0x00007ffff7782dd8 in talloc_get_name () from /usr/lib64/libtalloc.so.2
#4  0x00007ffff77857eb in _talloc_get_type_abort ()
   from /usr/lib64/libtalloc.so.2
#5  0x00007ffff7bb4d95 in pairnext (cursor=0x7ffff5eb2950)
    at src/lib/valuepair.c:290
#6  0x00007ffff7bb4b42 in pairfind (vp=0x7fffe8007d80, attr=80, vendor=0,
    tag=-128 '\200') at src/lib/valuepair.c:209
#7  0x00007ffff6f58d45 in mod_authenticate (instance=0x7f8b30,
    request=0x844e40) at src/modules/rlm_eap/rlm_eap.c:360
#8  0x0000000000421812 in call_modsingle (component=0, sp=0x81ce30,
    request=0x844e40) at src/main/modcall.c:311
#9  0x0000000000422f93 in modcall (component=0, c=0x81cf30, request=0x844e40)
    at src/main/modcall.c:782
#10 0x000000000041f4c6 in indexed_modcall (comp=0, idx=6, request=0x844e40)
    at src/main/modules.c:758
#11 0x0000000000421127 in process_authenticate (auth_type=6, request=0x844e40)
    at src/main/modules.c:1648
#12 0x000000000040c910 in rad_check_password (request=0x844e40)
    at src/main/auth.c:252
#13 0x000000000040cee4 in rad_authenticate (request=0x844e40)
---Type <return> to continue, or q <return> to quit---
    at src/main/auth.c:490
#14 0x0000000000430b79 in request_running (request=0x844e40, action=1)
    at src/main/process.c:1185
#15 0x000000000042d02e in request_handler_thread (arg=0x8397c0)
    at src/main/threads.c:685
#16 0x0000003fe5c07851 in start_thread () from /lib64/libpthread.so.0
#17 0x0000003fe54e811d in clone () from /lib64/libc.so.6
(gdb)
(gdb) up
#1  0x0000003fe5434085 in abort () from /lib64/libc.so.6
(gdb) up
#2  0x00007ffff7782c3c in ?? () from /usr/lib64/libtalloc.so.2
(gdb) up
#3  0x00007ffff7782dd8 in talloc_get_name () from /usr/lib64/libtalloc.so.2
(gdb) up
#4  0x00007ffff77857eb in _talloc_get_type_abort ()
   from /usr/lib64/libtalloc.so.2
(gdb) up
#5  0x00007ffff7bb4d95 in pairnext (cursor=0x7ffff5eb2950)
    at src/lib/valuepair.c:290
290     VERIFY_VP(cursor->current);
(gdb) list
285    */
286    VALUE_PAIR *pairnext(vp_cursor_t *cursor)
287    {
288     cursor->current = cursor->next;
289             if (cursor->current) {
290                     VERIFY_VP(cursor->current);
291
292                                                     /*
293   *  Set this now in case 'current' gets freed before
294   *  pairnext is called again.
(gdb) print cursor->current
$1 = (VALUE_PAIR *) 0x7fffe8007820
(gdb) print cursor->current->da
$2 = (const DICT_ATTR *) 0x6c6c617420646142
(gdb) print *cursor->current->da
Cannot access memory at address 0x6c6c617420646142
(gdb) up
#6  0x00007ffff7bb4b42 in pairfind (vp=0x7fffe8007d80, attr=80, vendor=0,
    tag=-128 '\200') at src/lib/valuepair.c:209
209               i = pairnext(&cursor)) {
(gdb) list
204     vp_cursor_t     cursor;
205     VALUE_PAIR      *i;
206
207     for (i = paircursor(&cursor, &vp);
208              i;
209             i = pairnext(&cursor)) {
210             VERIFY_VP(i);
211             if ((i->da->attr == attr) && (i->da->vendor == vendor)
212              && ((tag == TAG_ANY) || (i->da->flags.has_tag &&
213                      (i->tag == tag)))) {
(gdb) print attr
$3 = 80
(gdb) print vendor
$4 = 0
(gdb) print tag
$5 = -128 '\200'
(gdb) print i->da->name
$6 = "U"
(gdb) print *(char *)i->da->name
$7 = 85 'U'
(gdb) print *(char *)i->da->name + 1
$8 = 86
(gdb) print *(char *)(i->da->name + 1)
$9 = 115 's'
(gdb) print *(char *)(i->da->name + 2)
$10 = 101 'e'
(gdb) print *(char *)(i->da->name + 3)
$11 = 114 'r'
(gdb) print *(char *)(i->da->name + 4)
$12 = 45 '-'
(gdb) print *(char *)(i->da->name + 5)
$13 = 78 'N'
(gdb) up
#7  0x00007ffff6f58d45 in mod_authenticate (instance=0x7f8b30,
    request=0x844e40) at src/modules/rlm_eap/rlm_eap.c:360
360                             vp = pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY);
(gdb) print request
$14 = (REQUEST *) 0x844e40
(gdb) print request->proxy
$15 = (RADIUS_PACKET *) 0x7fffe8007bc0
(gdb) print request->proxy->vps
$16 = (VALUE_PAIR *) 0x7fffe8007d80
(gdb) print request->proxy->vps->da
$17 = (const DICT_ATTR *) 0x66dbf0
(gdb) print request->proxy->vps->da->name
$18 = "E"
(gdb) print (char *)request->proxy->vps->da->name
$19 = 0x66dc00 "EAP-Message"
(gdb) print (char *)request->proxy->vps->da->type
$20 = 0x6 <Address 0x6 out of bounds>
(gdb) print request->proxy->vps->da->type
$21 = PW_TYPE_OCTETS
(gdb) print (char *)request->proxy->vps->next->da->name
$22 = 0x6d8b08 "FreeRADIUS-Proxied-To"
(gdb) print (char *)request->proxy->vps->next->next->da->name
$23 = 0x66c280 "User-Name"
(gdb) print (char *)request->proxy->vps->next->next->next->da->name
$24 = 0x6c6c617420646152 <Address 0x6c6c617420646152 out of bounds>
(gdb) up
#8  0x0000000000421812 in call_modsingle (component=0, sp=0x81ce30,
    request=0x844e40) at src/main/modcall.c:311
311 myresult = sp->modinst->entry->module->methods[component](
(gdb) list
306     /*
307      *      For logging unresponsive children.
308      */
309     request->module = sp->modinst->name;
310
311     myresult = sp->modinst->entry->module->methods[component](
312     sp->modinst->insthandle, request);
313
314     request->module = "";
315     safe_unlock(sp->modinst);
(gdb)


The good news is the outbound instance for RadSec proxy seems to be holding up so far.
I've got another few weeks to test that before EDUROAM-US retracts RadSec service
pending getting their PKI in order, so I'll try to bang on it a bit stress and endurance-wise
before it goes away.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130807/32b6d8bf/attachment-0001.html>

More information about the Freeradius-Users mailing list