received signal SIGSEGV, Segmentation fault. malloc_consolidate (av=0x7ffff5e2de80) at malloc.c:5196

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Dec 12 19:16:54 CET 2013


On 12 Dec 2013, at 18:00, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:

> 
>> BT: 
>> rad_recv: Access-Request packet from host 127.0.0.1 port 42335, id=16, length=103
>>       User-Name = 'hachmer'
>>       User-Password = 'pass'
>>       NAS-IP-Address = 127.0.0.1
>>       NAS-Port = 0
>>       Message-Authenticator = 0xecaf11b4272d31821075a076004c4808
>> (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
>> (4)   authorize {
>> (4)   filter_username filter_username {
>> (4)    ? if (User-Name != "%{tolower:%{User-Name}}") 
>> 
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00007ffff5b04285 in malloc_consolidate () from /lib64/libc.so.6
> 
> *sigh* It's a double free in libkrb5.
> 
> They free ctx->plugin_base_dir in krb5_free_context, but don't strdup it in krb5_copy_context.
> 
> The proper struct is hidden, only the type is exposed

Sorry whacked send too early:

The proper struct is hidden, only the type is exposed, so there's no way to calculate the offset
of that field in the struct, and therefore no way to fix this problem from outside of the ctx_copy
function.

I'll submit another bug report, and another fix, and then I guess, add some logic to the configure
script to automatically disable thread support for MIT kerberos in anything less than the absolute
latest library version (provided they merge the patches for the next release).

Then for the packages, i'll set the default dependency to Heimdal (after doing some testing with
Heimdal to make sure it doesn't have similar issues).

If you want a quick fix to get something working you can either patch your version of the kerberos
library, adding:

    if (ctx->plugin_base_dir)
        nctx->plugin_base_dir = strdup(ctx->plugin_base_dir);

Just above the if (ctx->os_context.default_ccname != NULL) { line in src/lib/krb5/krb/copy_ctx.c.

Or on the FreeRADIUS side, edit src/modules/rlm_krb5/all.mk

and remove -DKRB5_IS_THREAD_SAFE from the SRC_CFLAGS.

Or switch to using the Heimdal library. 

I'm not sure why it worked on Alan Buxey's server, maybe he was using a very old version of the
library which didn't have these defects.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131212/069c1ef7/attachment.pgp>


More information about the Freeradius-Users mailing list