SEGV in 3.0.11

Alan DeKok aland at
Tue Mar 15 15:32:01 CET 2016

On Mar 15, 2016, at 10:22 AM, Phil Mayers <p.mayers at> wrote:
> Looks like req_list is getting trampled with something - rlm_sql query strings from the look of the memory. But I don't understand how - paircompare is passed request, request->packet->vps but by line 537 req_list is now a different pointer:

  The only thing I can think of is that it's being passed as a VALUE_PAIR*, and the underlying VALUE_PAIR is being free'd somewhere.

  But it's weird that it's being freed in the middle of the function.

  Try watching the address of req_list.  In developer builds, the _pair_free function in src/lib/pair.c writes to the VP before it's freed.  You may also update that function to memset() all of it's entries to zero, too.

  Alan DeKok.

More information about the Freeradius-Devel mailing list