freeradius 3.0.15 memory corruption
petr.linke at seznam.cz
petr.linke at seznam.cz
Thu Sep 7 15:03:32 CEST 2017
section post-ath from inner-tunnel:
post-auth {
if (1) {
#
# These attributes are for the inner-tunnel only,
# and MUST NOT be copied to the outer reply.
#
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}
update {
&outer.session-state: += &reply:
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-
Message
}
}
}
and here is part from debug again:
(11) # Executing group from file /etc/freeradius/sites-enabled/inner
(11) authenticate {
(11) eap: Expiring EAP session with state 0x74680c42756316ac
(11) eap: Finished EAP session with state 0x74680c42756316ac
(11) eap: Previous EAP request found for state 0x74680c42756316ac, released
from the list
(11) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(11) eap: Calling submodule eap_mschapv2 to process data
(11) eap: Sending EAP Success (code 3) ID 11 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file /etc/freeradius/sites-
enabled/inner
(11) post-auth {
(11) if (1) {
(11) if (1) -> TRUE
(11) if (1) {
(11) update reply {
(11) User-Name !* ANY
*** glibc detected *** freeradius: free(): invalid next size (fast): 0x
000000000258d0b0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7f5a586f0bb6]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7f5a586f595c]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7f5a59b1c089]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7f5a59b188b3]
/usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7f
5a5a5a2b56]
/usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x
...
Petr
---------- Original mail ----------
From: Fajar A. Nugraha <list at fajar.net>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Date: 7. 9. 2017 14:52:25
Subject: Re: freeradius 3.0.15 memory corruption
"On Thu, Sep 7, 2017 at 5:37 PM, <petr.linke at seznam.cz> wrote:
> Hi,
> I tryed eapol_test, and the eapol_test succeed for username with length
more
> than 5 characters.
>
> Here is command:
> eapol_test -c ./eapol_test.conf -s SharedSecret -a 10.255.246.120
> (9) eap_mschapv2: authenticate {
> (9) mschap: Creating challenge hash with username: abcdef
> ...
> (11) Finished request
Did you cut the post-auth section? Or did you use a different config?
>> (10) # Executing section post-auth from file /etc/freeradius/sites-
>> enabled/inner
>> (10) post-auth {
>> (10) if (1) {
>> (10) if (1) -> TRUE
>> (10) if (1) {
>> (10) update reply {
>> (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7
>> efef0171bb6]
>> *** glibc detected *** freeradius: free(): invalid next size (fast): 0x
>> 0000000000b61230 ***
On your original post, the problem happens on post-auth. And
changing/sending 'User-Name' in reply looks weird.
What is your actual post-auth section on /etc/freeradius/sites-enabled/inner
?
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
html"
More information about the Freeradius-Users
mailing list