On 18 Jun 2014, at 21:50, Phil Mayers <p.mayers@IMPERIAL.AC.UK> wrote:
On 18/06/2014 19:11, Phil Mayers wrote:
I have some circumstantial evidence that eap_ttls is implicated, and that it might be related to the handling of the fake requests for the inner tunnel - but it's very circumstantial. The heap corruption makes it really hard to be sure of anything - *someone* is trampling over memory they shouldn't, but valgrind seems to get very very confused when this happens, and swamps me with messages.
I can reproduce this with an almost-vanilla config now. Changes I made (verified with diff) from the default "make install" config:
1. Adding a client to clients.conf 2. Enabling a test user in "users" with a Cleartext-Password 3. Increase max_requests to 65536 (to allow it to take the test load) 4. Allow vulnerable openssl 5. Throwing a load of PEAP & TTLS at it using "eapol_test -r 1" - 1x PEAP and 3x TTLS requests every 0.1 seconds, like this:
while true; do eapol_test -r 1 $PEAP & eapol_test -r 1 $TTLS & eapol_test -r 1 $TTLS & eapol_test -r 1 $TTLS & sleep 0.1 done
Under this config it takes a few seconds to minutes to crash, but seems to be pretty reliably doing it under #73629e9
Ok, i'll try and reproduce it tomorrow. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2