Segmentation Fault after querying radgroupcheck in FR 3.0.7

Susan Barnes barnes at rrz.uni-koeln.de
Tue Mar 31 14:58:32 CEST 2015 

Hi,


we have built and installed FR 3.0.7 RPMs on CentOS 6 with the specfile from

<http://software.opensuse.org/download.html?project=home%3Afreeradius%3A3.0.x%3Acentos&package=freeradius>

(with minimal changes for the changes from 3.0.4 to 3.0.7)

We have run into the following problem:

Using SQL-Backend, we would like to authorize users according to huntgroups.

We have set up a usergroup mgm-wlan-3 and then inserted the following 
attribute/value into radgroupcheck:

insert into radgroupcheck (GroupName, Attribute, op, Value) values 
('mgm-wlan-3', 'Huntgroup-Name', '==', 'submarine');

When testing the user is found, but just after querying radgroupcheck we 
get a seg fault if and only if the attribute in radgroupcheck does not 
match.

output from radisud -X

rlm_sql (sql): Reserved connection (9)
(3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck 
WHERE username = '%{SQL-User-Name}' ORDER BY id
(3) sql:    --> SELECT id, username, attribute, value, op FROM radcheck 
WHERE username = '00254bbf0584' ORDER BY id
(3) sql: Executing select query: SELECT id, username, attribute, value, 
op FROM radcheck WHERE username = '00254bbf0584' ORDER BY id
(3) sql: User found in radcheck table
(3) sql: Conditional check items matched, merging assignment check items
(3) sql:   Cleartext-Password := '00254bbf0584'
(3) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply 
WHERE username = '%{SQL-User-Name}' ORDER BY id
(3) sql:    --> SELECT id, username, attribute, value, op FROM radreply 
WHERE username = '00254bbf0584' ORDER BY id
(3) sql: Executing select query: SELECT id, username, attribute, value, 
op FROM radreply WHERE username = '00254bbf0584' ORDER BY id
(3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = 
'%{SQL-User-Name}' ORDER BY priority
(3) sql:    --> SELECT groupname FROM radusergroup WHERE username = 
'00254bbf0584' ORDER BY priority
(3) sql: Executing select query: SELECT groupname FROM radusergroup 
WHERE username = '00254bbf0584' ORDER BY priority
(3) sql: User found in the group table
(3) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM 
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(3) sql:    --> SELECT id, groupname, attribute, Value, op FROM 
radgroupcheck WHERE groupname = 'mgm-wlan-3' ORDER BY id
(3) sql: Executing select query: SELECT id, groupname, attribute, Value, 
op FROM radgroupcheck WHERE groupname = 'mgm-wlan-3' ORDER BY id
Segmentation fault

We have looked into the source and used gdb and think the problem lies 
with the following lines from rlm_sql.c within rlm_sql_process_groups():

do {
	next:
                 rad_assert(entry != NULL);
                 pairstrcpy(sql_group, entry->name);

. . .

if ((rows > 0) &&
	(paircompare(request, request->packet->vps, check_tmp, 		 
&request->reply->vps) != 0)) {


		pairfree(&check_tmp);
		entry = entry->next;

		goto next;      /* != continue */
}



If the attributes from radgroupcheck do not match paircompare() returns 
a value not 0 and then entry->next is not defined, but we still jump 
into the next iteration and possibly pairstrcpy() segfaults.

rad_assert does not seem to do anything, because NDEBUG was set during 
compilation.

Is this a bug or are we doing anything wrong?


Thanks in advance

Susan

-- 
S.Barnes
Cologne University IT/Networking Dept.

More information about the Freeradius-Users mailing list