SEGV in 3.0.11
Alan DeKok
aland at deployingradius.com
Tue Mar 15 15:32:01 CET 2016
On Mar 15, 2016, at 10:22 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
> Looks like req_list is getting trampled with something - rlm_sql query strings from the look of the memory. But I don't understand how - paircompare is passed request, request->packet->vps but by line 537 req_list is now a different pointer:
The only thing I can think of is that it's being passed as a VALUE_PAIR*, and the underlying VALUE_PAIR is being free'd somewhere.
But it's weird that it's being freed in the middle of the function.
Try watching the address of req_list. In developer builds, the _pair_free function in src/lib/pair.c writes to the VP before it's freed. You may also update that function to memset() all of it's entries to zero, too.
Alan DeKok.
More information about the Freeradius-Devel
mailing list