section post-ath from inner-tunnel: post-auth { if (1) { # # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure- Message } } } and here is part from debug again: (11) # Executing group from file /etc/freeradius/sites-enabled/inner (11) authenticate { (11) eap: Expiring EAP session with state 0x74680c42756316ac (11) eap: Finished EAP session with state 0x74680c42756316ac (11) eap: Previous EAP request found for state 0x74680c42756316ac, released from the list (11) eap: Peer sent packet with method EAP MSCHAPv2 (26) (11) eap: Calling submodule eap_mschapv2 to process data (11) eap: Sending EAP Success (code 3) ID 11 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) } # authenticate = ok (11) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (11) post-auth { (11) if (1) { (11) if (1) -> TRUE (11) if (1) { (11) update reply { (11) User-Name !* ANY *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 000000000258d0b0 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7f5a586f0bb6] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7f5a586f595c] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7f5a59b1c089] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7f5a59b188b3] /usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7f 5a5a5a2b56] /usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x ... Petr ---------- Original mail ---------- From: Fajar A. Nugraha <list@fajar.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 14:52:25 Subject: Re: freeradius 3.0.15 memory corruption "On Thu, Sep 7, 2017 at 5:37 PM, <petr.linke@seznam.cz> wrote:
Hi, I tryed eapol_test, and the eapol_test succeed for username with length more than 5 characters.
Here is command: eapol_test -c ./eapol_test.conf -s SharedSecret -a 10.255.246.120
(9) eap_mschapv2: authenticate { (9) mschap: Creating challenge hash with username: abcdef ...
(11) Finished request
Did you cut the post-auth section? Or did you use a different config?
(10) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (10) post-auth { (10) if (1) { (10) if (1) -> TRUE (10) if (1) { (10) update reply { (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7 efef0171bb6] *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 0000000000b61230 ***
On your original post, the problem happens on post-auth. And changing/sending 'User-Name' in reply looks weird. What is your actual post-auth section on /etc/freeradius/sites-enabled/inner ? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html"