freeradius 3.0.15 memory corruption
Hello, I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth from samba. I use default settings, follow freeradius-active-directory- integration-howto. All work correctly for username length up to 5 characters, but when I use username, where the length is more than 5 characters, freeradius terminated due memory corruption. (freeradius v.3.0.15, running on debian Wheezy64). debug for username length more than 5 characters: ... (10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL (10) ntdomain: No such realm "NULL" (10) [ntdomain] = noop (10) update control { (10) &Proxy-To-Realm := LOCAL (10) } # update control = noop (10) eap: Peer sent EAP Response (code 2) ID 11 length 6 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/inner (10) authenticate { (10) eap: Expiring EAP session with state 0x00b1f6cf01baecde (10) eap: Finished EAP session with state 0x00b1f6cf01baecde (10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap: Sending EAP Success (code 3) ID 11 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (10) post-auth { (10) if (1) { (10) if (1) -> TRUE (10) if (1) { (10) update reply { (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7 efef0171bb6] *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 0000000000b61230 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b3] /usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7 efef2023b56] /usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef 2263c9d] freeradius[0x4278ad] freeradius[0x4272aa] freeradius[0x42752d] freeradius[0x4272aa] freeradius[0x42752d] freeradius(modcall+0x43)[0x4286a3] freeradius(indexed_modcall+0xa5)[0x423205] freeradius(rad_postauth+0x80)[0x4118a0] freeradius(rad_virtual_server+0x3d0)[0x4128f0] /usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872] /usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2] /usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb] /usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58] /usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15] freeradius[0x4283b2] freeradius[0x4272aa] freeradius[0x42752d] freeradius(modcall+0x43)[0x4286a3] freeradius(indexed_modcall+0xa5)[0x423205] freeradius(rad_authenticate+0x73d)[0x4122bd] freeradius[0x4368ba] freeradius[0x4322ad] freeradius(request_receive+0x337)[0x433f97] freeradius[0x41d5b9] freeradius[0x4316ad] /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef2036 c59] freeradius(main+0x6af)[0x410dbf] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead] freeradius[0x411105] ======= Memory map: ======== 00400000-00463000 r-xp 00000000 01:01 77414 / usr/sbin/freeradius 00662000-00665000 r--p 00062000 01:01 77414 / usr/sbin/freeradius 00665000-00669000 rw-p 00065000 01:01 77414 / usr/sbin/freeradius 00669000-0066a000 rw-p 00000000 00:00 0 00800000-00b9b000 rw-p 00000000 00:00 0 [heap] ... and now the same situation, username length up to 5 characters: (10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL (10) ntdomain: No such realm "NULL" (10) [ntdomain] = noop (10) update control { (10) &Proxy-To-Realm := LOCAL (10) } # update control = noop (10) eap: Peer sent EAP Response (code 2) ID 10 length 64 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/inner (10) authenticate { (10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e (10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e (10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap_mschapv2: # Executing group from file /etc/freeradius/sites- enabled/inner (10) eap_mschapv2: authenticate { (10) mschap: Creating challenge hash with username: test2 (10) mschap: Client is using MS-CHAPv2 (10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username =%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} -- challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (10) mschap: EXPAND --username=%{mschap:User-Name:-None} (10) mschap: --> --username=test2 ... (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) } # post-auth = ok (12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253: 1812 length 0 (12) MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739 e329efbe06bc0e1e (12) MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b 762d516c0cc10f7f (12) EAP-Message = 0x030c0004 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) User-Name = "test2" (12) EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b 40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b 6241ff (12) Finished request But when I try radtest with username length more than 5 characters, no problem: ---------------------------------------------------------------------------- ------------------------- radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1 SharedSecret Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 length 132 User-Name = "abcdef" MS-CHAP-Password = "12345#W" NAS-IP-Address = 10.255.246.120 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "12345#W" MS-CHAP-Challenge = 0x838e90923dacd16e MS-CHAP-Response = 0x 0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4ac 516373cd10bd09574a21bb8c Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length 37 Than you for any help, Petr Linke
radtest doesnt do EAP. your real packets are using EAP and therefore go through a different path - into inner-tunnel etc. use eg wpa_supplicant 'eapol_test' tool to actually run tests similar to a client. whats your config like in the authn/authz sections of inner-tunnel? what do you have enabled in the mschap module? (PS should be using winbind method with 3.0.15 rather than ntlm_auth :) ) alan On 7 September 2017 at 09:48, <petr.linke@seznam.cz> wrote:
Hello, I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth from samba. I use default settings, follow freeradius-active-directory- integration-howto. All work correctly for username length up to 5 characters, but when I use username, where the length is more than 5 characters, freeradius terminated due memory corruption. (freeradius v.3.0.15, running on debian Wheezy64).
debug for username length more than 5 characters:
... (10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL (10) ntdomain: No such realm "NULL" (10) [ntdomain] = noop (10) update control { (10) &Proxy-To-Realm := LOCAL (10) } # update control = noop (10) eap: Peer sent EAP Response (code 2) ID 11 length 6 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/inner (10) authenticate { (10) eap: Expiring EAP session with state 0x00b1f6cf01baecde (10) eap: Finished EAP session with state 0x00b1f6cf01baecde (10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap: Sending EAP Success (code 3) ID 11 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (10) post-auth { (10) if (1) { (10) if (1) -> TRUE (10) if (1) { (10) update reply { (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7 efef0171bb6] *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 0000000000b61230 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b3] /usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7 efef2023b56] /usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef 2263c9d] freeradius[0x4278ad] freeradius[0x4272aa] freeradius[0x42752d] freeradius[0x4272aa] freeradius[0x42752d] freeradius(modcall+0x43)[0x4286a3] freeradius(indexed_modcall+0xa5)[0x423205] freeradius(rad_postauth+0x80)[0x4118a0] freeradius(rad_virtual_server+0x3d0)[0x4128f0] /usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872] /usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2] /usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb] /usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58] /usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15] freeradius[0x4283b2] freeradius[0x4272aa] freeradius[0x42752d] freeradius(modcall+0x43)[0x4286a3] freeradius(indexed_modcall+0xa5)[0x423205] freeradius(rad_authenticate+0x73d)[0x4122bd] freeradius[0x4368ba] freeradius[0x4322ad] freeradius(request_receive+0x337)[0x433f97] freeradius[0x41d5b9] freeradius[0x4316ad] /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef2036 c59] freeradius(main+0x6af)[0x410dbf] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead] freeradius[0x411105] ======= Memory map: ======== 00400000-00463000 r-xp 00000000 01:01 77414 / usr/sbin/freeradius 00662000-00665000 r--p 00062000 01:01 77414 / usr/sbin/freeradius 00665000-00669000 rw-p 00065000 01:01 77414 / usr/sbin/freeradius 00669000-0066a000 rw-p 00000000 00:00 0 00800000-00b9b000 rw-p 00000000 00:00 0 [heap] ...
and now the same situation, username length up to 5 characters:
(10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL (10) ntdomain: No such realm "NULL" (10) [ntdomain] = noop (10) update control { (10) &Proxy-To-Realm := LOCAL (10) } # update control = noop (10) eap: Peer sent EAP Response (code 2) ID 10 length 64 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/inner (10) authenticate { (10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e (10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e (10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap_mschapv2: # Executing group from file /etc/freeradius/sites- enabled/inner (10) eap_mschapv2: authenticate { (10) mschap: Creating challenge hash with username: test2 (10) mschap: Client is using MS-CHAPv2 (10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username =%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} -- challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (10) mschap: EXPAND --username=%{mschap:User-Name:-None} (10) mschap: --> --username=test2 ... (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) } # post-auth = ok (12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253: 1812 length 0 (12) MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739 e329efbe06bc0e1e (12) MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b 762d516c0cc10f7f (12) EAP-Message = 0x030c0004 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) User-Name = "test2" (12) EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b 40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b 6241ff (12) Finished request
But when I try radtest with username length more than 5 characters, no problem: ---------------------------------------------------------------------------- ------------------------- radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1 SharedSecret Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 length 132 User-Name = "abcdef" MS-CHAP-Password = "12345#W" NAS-IP-Address = 10.255.246.120 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "12345#W" MS-CHAP-Challenge = 0x838e90923dacd16e MS-CHAP-Response = 0x 0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4ac 516373cd10bd09574a21bb8c Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length 37
Than you for any help, Petr Linke
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth from samba. I use default settings, follow freeradius-active-directory- integration-howto. All work correctly for username length up to 5 characters, but when I use username, where the length is more than 5 characters, freeradius terminated due memory corruption. (freeradius v.3.0.15, running on debian Wheezy64).
debug for username length more than 5 characters:
... (10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL (10) ntdomain: No such realm "NULL" (10) [ntdomain] = noop (10) update control { (10) &Proxy-To-Realm := LOCAL (10) } # update control = noop (10) eap: Peer sent EAP Response (code 2) ID 11 length 6 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/inner (10) authenticate { (10) eap: Expiring EAP session with state 0x00b1f6cf01baecde (10) eap: Finished EAP session with state 0x00b1f6cf01baecde (10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap: Sending EAP Success (code 3) ID 11 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (10) post-auth { (10) if (1) { (10) if (1) -> TRUE (10) if (1) { (10) update reply { (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7 efef0171bb6] *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 0000000000b61230 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b 3] /usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x 7 efef2023b56] /usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef 2263c9d] freeradius[0x4278ad] freeradius[0x4272aa] freeradius[0x42752d] freeradius[0x4272aa] freeradius[0x42752d] freeradius(modcall+0x43)[0x4286a3] freeradius(indexed_modcall+0xa5)[0x423205] freeradius(rad_postauth+0x80)[0x4118a0] freeradius(rad_virtual_server+0x3d0)[0x4128f0] /usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872] /usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2] /usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb] /usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58] /usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15] freeradius[0x4283b2] freeradius[0x4272aa] freeradius[0x42752d] freeradius(modcall+0x43)[0x4286a3] freeradius(indexed_modcall+0xa5)[0x423205] freeradius(rad_authenticate+0x73d)[0x4122bd] freeradius[0x4368ba] freeradius[0x4322ad] freeradius(request_receive+0x337)[0x433f97] freeradius[0x41d5b9] freeradius[0x4316ad] /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef 2036 c59] freeradius(main+0x6af)[0x410dbf] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead] freeradius[0x411105] ======= Memory map: ======== 00400000-00463000 r-xp 00000000 01:01 77414 / usr/sbin/freeradius 00662000-00665000 r--p 00062000 01:01 77414 / usr/sbin/freeradius 00665000-00669000 rw-p 00065000 01:01 77414 / usr/sbin/freeradius 00669000-0066a000 rw-p 00000000 00:00 0 00800000-00b9b000 rw-p 00000000 00:00 0 [heap] ...
and now the same situation, username length up to 5 characters:
(10) ntdomain: Checking for prefix before "\" (10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL (10) ntdomain: No such realm "NULL" (10) [ntdomain] = noop (10) update control { (10) &Proxy-To-Realm := LOCAL (10) } # update control = noop (10) eap: Peer sent EAP Response (code 2) ID 10 length 64 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/inner (10) authenticate { (10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e (10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e (10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap_mschapv2: # Executing group from file /etc/freeradius/sites- enabled/inner (10) eap_mschapv2: authenticate { (10) mschap: Creating challenge hash with username: test2 (10) mschap: Client is using MS-CHAPv2 (10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key -- username =%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} -- challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (10) mschap: EXPAND --username=%{mschap:User-Name:-None} (10) mschap: --> --username=test2 ... (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) } # post-auth = ok (12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253: 1812 length 0 (12) MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739 e329efbe06bc0e1e (12) MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b 762d516c0cc10f7f (12) EAP-Message = 0x030c0004 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) User-Name = "test2" (12) EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b 40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b 6241ff (12) Finished request
But when I try radtest with username length more than 5 characters, no problem: -------------------------------------------------------------------------- -- ------------------------- radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1 SharedSecret Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 length 132 User-Name = "abcdef" MS-CHAP-Password = "12345#W" NAS-IP-Address = 10.255.246.120 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "12345#W" MS-CHAP-Challenge = 0x838e90923dacd16e MS-CHAP-Response = 0x 0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4 ac 516373cd10bd09574a21bb8c Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length 37
Than you for any help, Petr Linke
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html
Hi, I tryed eapol_test, and the eapol_test succeed for username with length more than 5 characters. Here is command: eapol_test -c ./eapol_test.conf -s SharedSecret -a 10.255.246.120 ... ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS and here is the debug from freeradius: (9) ntdomain: Checking for prefix before "\" (9) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL (9) ntdomain: No such realm "NULL" (9) [ntdomain] = noop (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 65 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [logintime] = noop (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/inner (9) authenticate { (9) eap: Expiring EAP session with state 0x5c5a59c65c534372 (9) eap: Finished EAP session with state 0x5c5a59c65c534372 (9) eap: Previous EAP request found for state 0x5c5a59c65c534372, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/ inner (9) eap_mschapv2: authenticate { (9) mschap: Creating challenge hash with username: abcdef ... (11) Sent Access-Accept Id 11 from 10.255.246.120:1812 to 10.255.246.120: 55228 length 0 (11) MS-MPPE-Recv-Key = 0xda125ae5c2135b237a9fb5015aae8113737af18255fc 163912a87fa3b4a73c54 (11) MS-MPPE-Send-Key = 0x2b1b016695ef06e4bbbdd71d826e97b77ed6db4c6c59185e 6f0a3c28f3f6ef6a (11) EAP-Message = 0x030b0004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) User-Name = "abcdef" (11) EAP-Key-Name := 0x197a80a2347b0f01d3c32d4bf8551f6467b2abe6cc479d548d 028c92603a9e7a902ae9a06bbd30ec205596a0eeb2ac10d210db303d9093e9aa7ffcd84dfa 889ccf (11) Finished request Sections authz and authn from inner-tunnel: ------------------------------------------------------- authorize { filter_username filter_inner_identity mschap suffix ntdomain update control { &Proxy-To-Realm := LOCAL } eap { ok = return } logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap eap } Petr ---------- original mail ---------- From: Alan Buxey <alan.buxey@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 11:14:58 Subject: Re: freeradius 3.0.15 memory corruption "radtest doesnt do EAP. your real packets are using EAP and therefore go through a different path - into inner-tunnel etc. use eg wpa_supplicant 'eapol_test' tool to actually run tests similar to a client. whats your config like in the authn/authz sections of inner-tunnel? what do you have enabled in the mschap module? (PS should be using winbind method with 3.0.15 rather than ntlm_auth :) ) alan On 7 September 2017 at 09:48, <petr.linke@seznam.cz> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html"
On Thu, Sep 7, 2017 at 5:37 PM, <petr.linke@seznam.cz> wrote:
Hi, I tryed eapol_test, and the eapol_test succeed for username with length more than 5 characters.
Here is command: eapol_test -c ./eapol_test.conf -s SharedSecret -a 10.255.246.120
(9) eap_mschapv2: authenticate { (9) mschap: Creating challenge hash with username: abcdef ...
(11) Finished request
Did you cut the post-auth section? Or did you use a different config?
(10) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (10) post-auth { (10) if (1) { (10) if (1) -> TRUE (10) if (1) { (10) update reply { (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7 efef0171bb6] *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 0000000000b61230 ***
On your original post, the problem happens on post-auth. And changing/sending 'User-Name' in reply looks weird. What is your actual post-auth section on /etc/freeradius/sites-enabled/inner ? -- Fajar
section post-ath from inner-tunnel: post-auth { if (1) { # # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } update { &outer.session-state: += &reply: } } Post-Auth-Type REJECT { attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure- Message } } } and here is part from debug again: (11) # Executing group from file /etc/freeradius/sites-enabled/inner (11) authenticate { (11) eap: Expiring EAP session with state 0x74680c42756316ac (11) eap: Finished EAP session with state 0x74680c42756316ac (11) eap: Previous EAP request found for state 0x74680c42756316ac, released from the list (11) eap: Peer sent packet with method EAP MSCHAPv2 (26) (11) eap: Calling submodule eap_mschapv2 to process data (11) eap: Sending EAP Success (code 3) ID 11 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) } # authenticate = ok (11) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (11) post-auth { (11) if (1) { (11) if (1) -> TRUE (11) if (1) { (11) update reply { (11) User-Name !* ANY *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 000000000258d0b0 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7f5a586f0bb6] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7f5a586f595c] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7f5a59b1c089] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7f5a59b188b3] /usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7f 5a5a5a2b56] /usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x ... Petr ---------- Original mail ---------- From: Fajar A. Nugraha <list@fajar.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 14:52:25 Subject: Re: freeradius 3.0.15 memory corruption "On Thu, Sep 7, 2017 at 5:37 PM, <petr.linke@seznam.cz> wrote:
Hi, I tryed eapol_test, and the eapol_test succeed for username with length more than 5 characters.
Here is command: eapol_test -c ./eapol_test.conf -s SharedSecret -a 10.255.246.120
(9) eap_mschapv2: authenticate { (9) mschap: Creating challenge hash with username: abcdef ...
(11) Finished request
Did you cut the post-auth section? Or did you use a different config?
(10) # Executing section post-auth from file /etc/freeradius/sites- enabled/inner (10) post-auth { (10) if (1) { (10) if (1) -> TRUE (10) if (1) { (10) update reply { (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7 efef0171bb6] *** glibc detected *** freeradius: free(): invalid next size (fast): 0x 0000000000b61230 ***
On your original post, the problem happens on post-auth. And changing/sending 'User-Name' in reply looks weird. What is your actual post-auth section on /etc/freeradius/sites-enabled/inner ? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html"
On Sep 7, 2017, at 4:48 AM, petr.linke@seznam.cz wrote:
I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth from samba. I use default settings, follow freeradius-active-directory- integration-howto. All work correctly for username length up to 5 characters, but when I use username, where the length is more than 5 characters, freeradius terminated due memory corruption. (freeradius v.3.0.15, running on debian Wheezy64).
debug for username length more than 5 characters:
Which doesn't show the packet coming in, or what you're doing to it. Having *some* information would be useful. Please follow doc/bugs to get a useful backtrace. Or. run it in debugging mode with "radiusd -Xxx". You'll get a LOT more output, and the server will do additional memory sanity checking. That may show something useful. Alan DeKok.
---------- Original mail ---------- From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 15:01:10 Subject: Re: freeradius 3.0.15 memory corruption When I fill into username only name without domain, the memory corruption appears. When I put into username DOMAIN\NAME, all works fine. In the module mschap I have set the default domain in ntlm_auth command via --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL}, so during the tests I do not fill the domain into username. Petr "On Sep 7, 2017, at 4:48 AM, petr.linke@seznam.cz wrote:
I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth from samba. I use default settings, follow freeradius-active-directory- integration-howto. All work correctly for username length up to 5 characters, but when I use username, where the length is more than 5 characters, freeradius terminated due memory corruption. (freeradius v.3.0.15, running on debian Wheezy64).
debug for username length more than 5 characters:
Which doesn't show the packet coming in, or what you're doing to it. Having *some* information would be useful. Please follow doc/bugs to get a useful backtrace. Or. run it in debugging mode with "radiusd -Xxx". You'll get a LOT more output, and the server will do additional memory sanity checking. That may show something useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html"
Only additional info. The same situation is with winbind method - username without domain with length more than 5 characters = memory corruption. Username (length > 5 char) with domain = OK. Petr " ---------- Original mail ---------- From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 15:01:10 Subject: Re: freeradius 3.0.15 memory corruption When I fill into username only name without domain, the memory corruption appears. When I put into username DOMAIN\NAME, all works fine. In the module mschap I have set the default domain in ntlm_auth command via --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL}, so during the tests I do not fill the domain into username. Petr "On Sep 7, 2017, at 4:48 AM, petr.linke@seznam.cz wrote:
I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth from samba. I use default settings, follow freeradius-active-directory- integration-howto. All work correctly for username length up to 5 characters, but when I use username, where the length is more than 5 characters, freeradius terminated due memory corruption. (freeradius v.3.0.15, running on debian Wheezy64).
debug for username length more than 5 characters:
Which doesn't show the packet coming in, or what you're doing to it. Having *some* information would be useful. Please follow doc/bugs to get a useful backtrace. Or. run it in debugging mode with "radiusd -Xxx". You'll get a LOT more output, and the server will do additional memory sanity checking. That may show something useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html""
On Sep 7, 2017, at 11:06 AM, <petr.linke@seznam.cz> <petr.linke@seznam.cz> wrote:
Only additional info. The same situation is with winbind method - username without domain with length more than 5 characters = memory corruption. Username (length > 5 char) with domain = OK.
The additional information I need is:
Please follow doc/bugs to get a useful backtrace.
Or. run it in debugging mode with "radiusd -Xxx". You'll get a LOT more output, and the server will do additional memory sanity checking. That may show something useful.
If I don't get that, I can't help you. Alan DeKok.
Ok, I understand. In attachment is the full debug (freeradius -Xxx) with winbind method in mschap. Thank you for your help, Petr ---------- Original mail ---------- From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 17:11:19 Subjectt: Re: freeradius 3.0.15 memory corruption "On Sep 7, 2017, at 11:06 AM, <petr.linke@seznam.cz> <petr.linke@seznam.cz> wrote:
Only additional info. The same situation is with winbind method - username
without domain with length more than 5 characters = memory corruption. Username (length > 5 char) with domain = OK.
The additional information I need is:
Please follow doc/bugs to get a useful backtrace.
Or. run it in debugging mode with "radiusd -Xxx". You'll get a LOT more output, and the server will do additional memory sanity checking. That may
show something useful.
If I don't get that, I can't help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html"
Only one info from aditional tests: if in windows authentication dialog I fill correct name without domain and correct password, and username length is more than 5 characters - memory corruption. if in windows authentication dialog I fill correct name (any length) without domain and wrong password (auth fail) - no memory corruption. Petr "Ok, I understand. In attachment is the full debug (freeradius -Xxx) with winbind method in mschap. Thank you for your help, Petr ---------- Original mail ---------- From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 17:11:19 Subjectt: Re: freeradius 3.0.15 memory corruption "On Sep 7, 2017, at 11:06 AM, <petr.linke@seznam.cz> <petr.linke@seznam.cz> wrote:
Only additional info. The same situation is with winbind method - username
without domain with length more than 5 characters = memory corruption. Username (length > 5 char) with domain = OK.
The additional information I need is:
Please follow doc/bugs to get a useful backtrace.
Or. run it in debugging mode with "radiusd -Xxx". You'll get a LOT more output, and the server will do additional memory sanity checking. That may
show something useful.
If I don't get that, I can't help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html"
That's to be expected. Wrong password means you don't hit the same code path. The server would only be hitting the reject section of post-auth On 7 Sep 2017 5:19 pm, <petr.linke@seznam.cz> wrote:
Only one info from aditional tests:
if in windows authentication dialog I fill correct name without domain and correct password, and username length is more than 5 characters - memory corruption. if in windows authentication dialog I fill correct name (any length) without domain and wrong password (auth fail) - no memory corruption.
Petr
"Ok, I understand. In attachment is the full debug (freeradius -Xxx) with winbind method in mschap.
Thank you for your help, Petr
---------- Original mail ---------- From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: 7. 9. 2017 17:11:19 Subjectt: Re: freeradius 3.0.15 memory corruption "On Sep 7, 2017, at 11:06 AM, <petr.linke@seznam.cz> <petr.linke@seznam.cz
wrote:
Only additional info. The same situation is with winbind method -
username
without domain with length more than 5 characters = memory corruption. Username (length > 5 char) with domain = OK.
The additional information I need is:
Please follow doc/bugs to get a useful backtrace.
Or. run it in debugging mode with "radiusd -Xxx". You'll get a LOT more output, and the server will do additional memory sanity checking. That may
show something useful.
If I don't get that, I can't help you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html" - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
Fajar A. Nugraha -
petr.linke@seznam.cz