Bad talloc magic value inside tls.c:sess_free_vps

Phil Mayers p.mayers at imperial.ac.uk
Tue Jun 24 18:47:28 CEST 2014


(Starting a new thread to keep mailreader depth sane)

#4  0x00007f666e6ef97a in _fr_talloc_fault (reason=0x36ad408378 "Bad 
talloc magic value - unknown value") at src/lib/debug.c:561
#5  0x00000036ad402df1 in talloc_abort_unknown_value (ptr=<value 
optimized out>) at ../talloc.c:341
#6  talloc_chunk_from_ptr (ptr=<value optimized out>) at ../talloc.c:360
#7  talloc_get_name (ptr=<value optimized out>) at ../talloc.c:1153
#8  0x00000036ad4057eb in _talloc_get_type_abort (ptr=0x7f662c091dd0, 
name=0x7f666e714bdb "VALUE_PAIR", location=0x7f666e714bc7 
"src/lib/debug.c:817") at ../talloc.c:1206
#9  0x00007f666e6f0104 in fr_verify_vp (file=0x7f666e7144f0 
"src/lib/cursor.c", line=151, vp=0x7f662c091dd0) at src/lib/debug.c:817
#10 0x00007f666e6eec3f in fr_cursor_next (cursor=0x7f666a584490) at 
src/lib/cursor.c:151
#11 0x00007f666e70b75e in pairfree (vps=0x7f666a584508) at 
src/lib/valuepair.c:169
#12 0x00000000004493d6 in sess_free_vps (parent=0x7f664c0b76f0, 
data_ptr=0x7f662c07b140, ad=0x7f664c0b78e8, idx=0, argl=0, argp=0x0) at 
src/main/tls.c:1986
#13 0x00000037a0c6a68a in ?? () from /usr/lib64/libcrypto.so.10
#14 0x00000037a7c466bc in SSL_SESSION_free () from /usr/lib64/libssl.so.10
#15 0x00000037a7c445cd in SSL_free () from /usr/lib64/libssl.so.10
#16 0x000000000044624f in session_close (ssn=0x7f6644063950) at 
src/main/tls.c:599

At a guess, this is wrong:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_eap/libeap/eap_tls.c#L112

...because FR_TLS_EX_INDEX_TALLOC is used to parent the VPs paircopy'ed in:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/tls.c#L2676


I spent a bit of time looking at this earlier; the lifecycle of some of 
these objects is really really really hard to follow, both because 
OpenSSL is a bit weird, and because the naming of the FR TLS stuff is 
used in different ways to similarly-named objects inside OpenSSL.

Summary for my own notes:

OpenSSL:

  SSL_CTX* is an OpenSSL object containing the certs/keys/settings, that 
creates an...

  SSL* is an OpenSSL "connection" i.e. an SSL handshake, that creates or 
uses a cached...

  SSL_SESSION* is a negotiated OpenSSL master key & algos

FreeRADIUS

  tls_session_t is an OpenSSL SSL* i.e. connection plus some bits i.e. 
the BIOs to feed into/out of OpenSS

  eap_handler_t is an EAP exchange; it's keyed off State which mutates 
on every round trip. It contains a bunch of eap counter stuff and the 
tls_session_t

Given that sess_free_vps() is called by OpenSSL when the session goes 
away, I guess we don't need to parent the cached VPs to anything; ditto 
the cached certs?

Certainly don't want to parent the vps/certs to handler or 
tls_session_t; those have shorter lifetimes than SSL_SESSION* objects.


More information about the Freeradius-Devel mailing list