On 18/06/2014 19:11, Phil Mayers wrote:
I have some circumstantial evidence that eap_ttls is implicated, and that it might be related to the handling of the fake requests for the inner tunnel - but it's very circumstantial. The heap corruption makes it really hard to be sure of anything - *someone* is trampling over memory they shouldn't, but valgrind seems to get very very confused when this happens, and swamps me with messages.
I can reproduce this with an almost-vanilla config now. Changes I made (verified with diff) from the default "make install" config: 1. Adding a client to clients.conf 2. Enabling a test user in "users" with a Cleartext-Password 3. Increase max_requests to 65536 (to allow it to take the test load) 4. Allow vulnerable openssl 5. Throwing a load of PEAP & TTLS at it using "eapol_test -r 1" - 1x PEAP and 3x TTLS requests every 0.1 seconds, like this: while true; do eapol_test -r 1 $PEAP & eapol_test -r 1 $TTLS & eapol_test -r 1 $TTLS & eapol_test -r 1 $TTLS & sleep 0.1 done Under this config it takes a few seconds to minutes to crash, but seems to be pretty reliably doing it under #73629e9