talloc & threads in rlm_eap
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Jun 23 18:13:27 CEST 2014
On 23 Jun 2014, at 17:02, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:
> On 23/06/14 16:55, Arran Cudbard-Bell wrote:
>>
>> On 23 Jun 2014, at 16:52, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>>
>>> On 23/06/14 16:45, Phil Mayers wrote:
>>>> On 23/06/14 16:29, Arran Cudbard-Bell wrote:
>>>>
>>>>> Any better with latest v3.0.x HEAD? Just fixed all the connection pool
>>>>> handle allocation.
>>>>
>>>> Don't think so, immediate bomb-out when hammering it with EAP; just
>>>> rebuilding after make distclean to be absolutely sure I'm on the latest
>>>> (it would be nice if git activity updated the version reported in "-v";
>>>> seems to only be captured at ./configure time and this makes me paranoid
>>>> I've not updated the binaries correctly)
>>>>
>>>
>>> Yeah same sort of thing:
>>>
>>
>> One more time... I found another one in the cache module...
Replace:
/** Dynamically allocate a new attribute
*
* Allocates a new attribute and a new dictionary attr if no DA is provided.
*
* @param[in] ctx for allocated memory, usually a pointer to a RADIUS_PACKET
* @param[in] da Specifies the dictionary attribute to build the VP from.
* @return a new value pair or NULL if an error occurred.
*/
VALUE_PAIR *pairalloc(TALLOC_CTX *ctx, DICT_ATTR const *da)
{
VALUE_PAIR *vp;
/*
* Caller must specify a da else we don't know what the attribute type is.
*/
if (!da) {
fr_strerror_printf("Invalid arguments");
return NULL;
}
vp = talloc_zero(ctx, VALUE_PAIR);
if (!vp) {
fr_strerror_printf("Out of memory");
return NULL;
}
vp->da = da;
vp->op = T_OP_EQ;
vp->tag = TAG_ANY;
vp->type = VT_NONE;
vp->length = da->flags.length;
talloc_set_destructor(vp, _pairfree);
return vp;
}
With
static fr_cbuff *vp_bt;
VALUE_PAIR *pairalloc(TALLOC_CTX *ctx, DICT_ATTR const *da)
{
VALUE_PAIR *vp;
/*
* Caller must specify a da else we don't know what the attribute type is.
*/
if (!da) {
fr_strerror_printf("Invalid arguments");
return NULL;
}
vp = talloc_zero(ctx, VALUE_PAIR);
if (!vp) {
fr_strerror_printf("Out of memory");
return NULL;
}
vp->da = da;
vp->op = T_OP_EQ;
vp->tag = TAG_ANY;
vp->type = VT_NONE;
vp->length = da->flags.length;
talloc_set_destructor(vp, _pairfree);
fr_backtrace_attach(vp_bt, vp);
return vp;
}
run with
PANIC_ACTION="gdb %e %p" radiusd -f -lstdout
When it crashes p the value of the vp to get the pointer address then in gdb
call backtrace_print(&vp_bt, <pointer to double freed vp>)
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140623/b37ce448/attachment.pgp>
More information about the Freeradius-Devel
mailing list