1) started on a fresh system that had never seen freeradius before. 2) apt-get build-dep freeradius 3) apt-get install libtalloc-dev 4) git clone git://git.freeradius.org/freeradius-server 5) git branch --track release_branch_3.0.0 6) git checkout release_branch_3.0.0 7) configure --prefix=/usr/local; make; make install 8) download wpa source and build eapol_test 9) configure an eapol_peap.conf: network={ ssid="example" key_mgmt=WPA-EAP eap=PEAP identity="foo@domain.site" anonymous_identity="anon@domain.site" password="foo" phase1="peaplabel=0" phase2="auth=MSCHAPv2" } 10) Try an auth against stock config, no memory errors as expected 11) copy proxy-inner-tunnel from sites-available to sites-enabled 12) change mods-enabled/eap peap{} to virtual_server = "proxy-inner-tunnel" 13) Run the test. Get a GCC doublefree that ends as follows: (7) # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default (7) group post-proxy { (7) - entering group post-proxy {...} (7) eap : Doing post-proxy callback (7) eap : Passing reply from proxy back into the tunnel (7) eap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010800160410ea08d4982a033fac8f7f1f0bc63b952f Message-Authenticator = 0xbe82b369c495e2bceed47fd6f1b710d5 State = 0xc10fbed8c107ba1915db9798d8125486 Proxy-State = 0x37 (7) eap : Got tunneled Access-Challenge (7) eap : Reply was handled *** glibc detected *** /usr/local/sbin/radiusd: double free or corruption (out): 0x08cb34d8 *** 15) Note that proxy-inner-tunnel.post-proxy is not being entered, scratch head 14) Note this is a different error that the talloc-detected double-use I originally reported. To see that one proceed as follows: 16) comment out "virtual-server" option in mods-enabled/eap peap{} 17) add this clause to top of sites-enabled/default.authorize: if (Freeradius-Proxied-To == "127.0.0.1") { update control { Proxy-To-Realm = "example.com" } } 18) Run the test. Get the talloc error originally reported: (7) [suffix] = noop (7) eap : Request is supposed to be proxied to Realm example.com. Not doing EAP. (7) [eap] = noop (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop } # server default (7) eap_peap : Got tunneled reply code 0 PEAP: Tunneled authentication will be proxied to example.com talloc: access after free error - first free may be at src/main/util.c:230 Bad talloc magic value - access after free Aborted 18) Note that the error happens on the first unwrapped proxy before it is sent, so decide not to worry about anything past authorize {} in the default server.