SV: Re: Freeradius stops authenticating

Svein Hansen Svein.Hansen at hive.no
Mon Nov 7 14:59:02 CET 2005 

I recompiled freeradius with the patch, but the problem didn't go away..

I have 2 new outputs from valgrind and a stacktrace from gbd, but I don't want to send attachments to the list.

Here's some lines from the output's..
Run 1: Valgrind
# valgrind --tool=memcheck --verbose --log-file=/root/val071105 radiusd -yf
--- 
==32260== Thread 8:
==32260== Invalid write of size 4
==32260==    at 0x7D64E8: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==32260==    by 0x1BB78CB2: ??? (rlm_passwd.c:308)
==32260==    by 0xFC53: modcall (modcall.c:219)
==32260==    by 0xFEE0: modcall (modcall.c:252)
==32260==  Address 0x1BB57078 is 0 bytes inside a block of size 352 free'd
==32260==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==32260==    by 0x7D64F5: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==32260==    by 0x1BB77DFA: ??? (rlm_passwd.c:285)
==32260==    by 0x1BB78C12: ??? (rlm_passwd.c:545)
==32260== 
==32260== Thread 8:
==32260== Invalid free() / delete / delete[]
==32260==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==32260==    by 0x7D64F5: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==32260==    by 0x1BB78CB2: ??? (rlm_passwd.c:308)
==32260==    by 0xFC53: modcall (modcall.c:219)
==32260==  Address 0x1BB57078 is 0 bytes inside a block of size 352 free'd
==32260==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==32260==    by 0x7D64F5: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==32260==    by 0x1BB77DFA: ??? (rlm_passwd.c:285)
==32260==    by 0x1BB78C12: ??? (rlm_passwd.c:545)

Run 2: Valgrind
# valgrind --tool=memcheck --verbose --log-file=/root/val071105 radiusd -yf
----- 
==9390== Thread 8:
==9390== Invalid write of size 4
==9390==    at 0x7D64E8: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==9390==    by 0x1BB78CB2: ??? (rlm_passwd.c:308)
==9390==    by 0xFC53: modcall (modcall.c:219)
==9390==    by 0xFEE0: modcall (modcall.c:252)
==9390==  Address 0x1BB371C8 is 0 bytes inside a block of size 352 free'd
==9390==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==9390==    by 0x7D64F5: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==9390==    by 0x1BB77DFA: ??? (rlm_passwd.c:285)
==9390==    by 0x1BB78CA3: ??? (rlm_passwd.c:309)
==9390== 
==9390== Thread 8:
==9390== Invalid free() / delete / delete[]
==9390==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==9390==    by 0x7D64F5: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==9390==    by 0x1BB78CB2: ??? (rlm_passwd.c:308)
==9390==    by 0xFC53: modcall (modcall.c:219)
==9390==  Address 0x1BB371C8 is 0 bytes inside a block of size 352 free'd
==9390==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==9390==    by 0x7D64F5: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==9390==    by 0x1BB77DFA: ??? (rlm_passwd.c:285)
==9390==    by 0x1BB78CA3: ??? (rlm_passwd.c:309)
==9390== 
==9390== Thread 9:
==9390== Invalid read of size 1
==9390==    at 0x7D6BFA: _IO_fgets (in /lib/tls/libc-2.3.4.so)
==9390==    by 0x1BB77DA0: ??? (rlm_passwd.c:275)
==9390==    by 0x1BB78C12: ??? (rlm_passwd.c:545)
==9390==    by 0xFC53: modcall (modcall.c:219)
==9390==  Address 0x1BB68F31 is 1 bytes inside a block of size 352 free'd
==9390==    at 0x1B904EA5: free (vg_replace_malloc.c:153)
==9390==    by 0x7D64F5: _IO_fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.4.so)
==9390==    by 0x1BB78CB2: ??? (rlm_passwd.c:308)
==9390==    by 0xFC53: modcall (modcall.c:219)


Run 3: gdb
# radiusd -yf
Mon Nov  7 13:02:31 2005 : Info: Starting - reading configuration files ...
*** glibc detected *** malloc(): memory corruption: 0xae8012dd ***
Aborted (core dumped)
# date
man nov  7 14:19:20 CET 2005
# gdb radiusd core.19991
(gdb) bt
#0  0x00bbb7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x003127d5 in raise () from /lib/tls/libc.so.6
#2  0x00314149 in abort () from /lib/tls/libc.so.6
#3  0x0034640a in __libc_message () from /lib/tls/libc.so.6
#4  0x0034d51c in _int_malloc () from /lib/tls/libc.so.6
#5  0x0034ef81 in malloc () from /lib/tls/libc.so.6
#6  0x0011915b in pairmake (attribute=0x947af33 "LM-Password", value=0x947ab03 "", operator=11)
    at valuepair.c:1041
#7  0x00e09981 in addresult (inst=0x947a9e8, vp=0x947d954, pw=0x947aac8, when=0 '\0',
    listname=0xe09e76 "config_items") at rlm_passwd.c:504
#8  0x00e09bbc in passwd_authorize (instance=0x947a9e8, request=0x947d940) at rlm_passwd.c:542
#9  0x001f2c54 in modcall (component=1, c=0x9479b18, request=0x947d940) at modcall.c:219
#10 0x001f2ee1 in modcall (component=1, c=0x93fb260, request=0x947d940) at modcall.c:252
#11 0x001f2126 in indexed_modcall (comp=1, idx=6, request=0x0) at modules.c:473
#12 0x001eeef3 in rad_authenticate (request=0x947d940) at auth.c:592
#13 0x001e804c in rad_respond (request=0x947d940, fun=0x1eee57 <rad_authenticate>) at radiusd.c:1642
#14 0x001f5481 in request_handler_thread (arg=0x947d378) at threads.c:517
#15 0x006c5341 in start_thread () from /lib/tls/libpthread.so.0
#16 0x003b26fe in clone () from /lib/tls/libc.so.6
(gdb)

My rlm_passwd.c (after applying patch):
Line: 279 - 289
					if(!strcmp(list, name)) return passwd;
				}
			}

		}
	}
	fclose(ht->fp);
	ht->fp = NULL;
	return NULL;
#undef passwd
}

Line:301 - 311
			if (!strcmp(hashentry->field[ht->keyfield], name)){
				/* save address of next item to check into buffer */
				ht->last_found=hashentry->next;
				return hashentry;
			}
		return NULL;
	}
	if (ht->fp) fclose(ht->fp);
	if (!(ht->fp=fopen(ht->filename, "r"))) return NULL;
	return get_next(name, ht);
}

Line: 540 - 550
		}
		do {
			addresult(inst, &request->config_items, pw, 0, "config_items");
			addresult(inst, &request->reply->vps, pw, 1, "reply_items");
			addresult(inst, &request->packet->vps, 	pw, 2, "request_items");
		} while ( (pw = get_next(name, inst->ht)) );
		found++;
		if (!inst->allowmultiple) break;
	}
	if(!found) {
		return RLM_MODULE_NOTFOUND;


Please send me an email if you can help me, and I will send the complete outputs.

Svein Hansen





>>> nbk at sitadelle.com 27.10.2005 12:34:41 >>>
Svein Hansen wrote:

> I suspected that there had to be a module in freeradius that makes
> glibc fault, so I tried to run freeradius in Valgrind:

Thanks, the output of Valgrind is very useful.

> I'm not a programmer, but can it be that radius tries a double-close
> or a double-free?

Indeed, it looks like a file stream is closed more than once.

Please try to apply these changes to src/modules/rlm_passwd/rlm_passwd.c
then recompile FreeRADIUS and test again.

Index: src/modules/rlm_passwd/rlm_passwd.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_passwd/rlm_passwd.c,v
retrieving revision 1.13.2.3
diff -u -r1.13.2.3 rlm_passwd.c
--- src/modules/rlm_passwd/rlm_passwd.c	19 Dec 2004 20:06:30 -0000	1.13.2.3
+++ src/modules/rlm_passwd/rlm_passwd.c	27 Oct 2005 10:23:00 -0000
@@ -136,8 +136,15 @@
 	for (i=0; i<ht->tablesize; i++)
  		if (ht->table[i])
  			destroy_password(ht->table[i]);
-	if (ht->table) free(ht->table);
-	if (ht->fp) fclose(ht->fp);
+	if (ht->table) {
+		free(ht->table);
+		ht->table = NULL:
+	}
+	if (ht->fp) {
+		fclose(ht->fp);
+		ht->fp = NULL;
+	}
+	ht->tablesize = 0;
 }
 
 static void release_ht(struct hashtable * ht){
@@ -194,7 +201,6 @@
 		if(*buffer && *buffer!='\n' && (!ignorenis || (*buffer != '+' && *buffer != '-')) ){
 			if(!(hashentry = mypasswd_malloc(buffer, nfields, &len))){
 				release_hash_table(ht);
-				ht->tablesize = 0;
 				return ht;
 			}
 			len = string_to_entry(buffer, nfields, *ht->delimiter, hashentry, len);
@@ -219,7 +225,6 @@
 					else nextlist = 0;
 					if(!(hashentry1 = mypasswd_malloc("", nfields, &len))){
 						release_hash_table(ht);
-						ht->tablesize = 0;
 						return ht;
 					}
 					for (i=0; i<nfields; i++) hashentry1->field[i] = hashentry->field[i];


-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list