freeradius 3.0.15 memory corruption

petr.linke at seznam.cz petr.linke at seznam.cz
Thu Sep 7 10:48:12 CEST 2017 

Hello,
I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth 
from samba. I use default settings, follow freeradius-active-directory-
integration-howto. All work correctly for username length up to 5 
characters, but when I use username, where the length is more than 5 
characters, freeradius terminated due memory corruption.
(freeradius v.3.0.15, running on debian Wheezy64).
 

debug for username length more than 5 characters:

...
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10)       [ntdomain] = noop
(10)       update control {
(10)         &Proxy-To-Realm := LOCAL
(10)       } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 11 length 6
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10)       [eap] = updated
(10)       [logintime] = noop
(10)       [pap] = noop
(10)     } # authorize = updated
(10)   Found Auth-Type = eap
(10)   # Executing group from file /etc/freeradius/sites-enabled/inner
(10)     authenticate {
(10) eap: Expiring EAP session with state 0x00b1f6cf01baecde
(10) eap: Finished EAP session with state 0x00b1f6cf01baecde
(10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, released 
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap: Sending EAP Success (code 3) ID 11 length 4
(10) eap: Freeing handler
(10)       [eap] = ok
(10)     } # authenticate = ok
(10)   # Executing section post-auth from file /etc/freeradius/sites-
enabled/inner
(10)     post-auth {
(10)       if (1) {
(10)       if (1)  -> TRUE
(10)       if (1)  {
(10)         update reply {
(10)           User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7
efef0171bb6]
*** glibc detected *** freeradius: free(): invalid next size (fast): 0x
0000000000b61230 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b3]
/usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7
efef2023b56]
/usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef
2263c9d]
freeradius[0x4278ad]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius(modcall+0x43)[0x4286a3]
freeradius(indexed_modcall+0xa5)[0x423205]
freeradius(rad_postauth+0x80)[0x4118a0]
freeradius(rad_virtual_server+0x3d0)[0x4128f0]
/usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872]
/usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2]
/usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb]
/usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58]
/usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15]
freeradius[0x4283b2]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius(modcall+0x43)[0x4286a3]
freeradius(indexed_modcall+0xa5)[0x423205]
freeradius(rad_authenticate+0x73d)[0x4122bd]
freeradius[0x4368ba]
freeradius[0x4322ad]
freeradius(request_receive+0x337)[0x433f97]
freeradius[0x41d5b9]
freeradius[0x4316ad]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef2036
c59]
freeradius(main+0x6af)[0x410dbf]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead]
freeradius[0x411105]
======= Memory map: ========
00400000-00463000 r-xp 00000000 01:01 77414                              /
usr/sbin/freeradius
00662000-00665000 r--p 00062000 01:01 77414                              /
usr/sbin/freeradius
00665000-00669000 rw-p 00065000 01:01 77414                              /
usr/sbin/freeradius
00669000-0066a000 rw-p 00000000 00:00 0 
00800000-00b9b000 rw-p 00000000 00:00 0                                  
[heap]
...


and now the same situation, username length up to 5 characters:

(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10)       [ntdomain] = noop
(10)       update control {
(10)         &Proxy-To-Realm := LOCAL
(10)       } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 64
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10)       [eap] = updated
(10)       [logintime] = noop
(10)       [pap] = noop
(10)     } # authorize = updated
(10)   Found Auth-Type = eap
(10)   # Executing group from file /etc/freeradius/sites-enabled/inner
(10)     authenticate {
(10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e
(10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e
(10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, released 
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap_mschapv2: # Executing group from file /etc/freeradius/sites-
enabled/inner
(10) eap_mschapv2:   authenticate {
(10) mschap: Creating challenge hash with username: test2
(10) mschap: Client is using MS-CHAPv2
(10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username
=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} --
challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(10) mschap: EXPAND --username=%{mschap:User-Name:-None}
(10) mschap:    --> --username=test2
...
(12)     policy remove_reply_message_if_eap {
(12)       if (&reply:EAP-Message && &reply:Reply-Message) {
(12)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(12)       else {
(12)         [noop] = noop
(12)       } # else = noop
(12)     } # policy remove_reply_message_if_eap = noop
(12)   } # post-auth = ok
(12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253:
1812 length 0
(12)   MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739
e329efbe06bc0e1e
(12)   MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b
762d516c0cc10f7f
(12)   EAP-Message = 0x030c0004
(12)   Message-Authenticator = 0x00000000000000000000000000000000
(12)   User-Name = "test2"
(12)   EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b
40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b
6241ff
(12) Finished request


But when I try radtest with username length more than 5 characters, no 
problem:
----------------------------------------------------------------------------
-------------------------
radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1 
SharedSecret
Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 length 
132
        User-Name = "abcdef"
        MS-CHAP-Password = "12345#W"
        NAS-IP-Address = 10.255.246.120
        NAS-Port = 1
        Message-Authenticator = 0x00
        Cleartext-Password = "12345#W"
        MS-CHAP-Challenge = 0x838e90923dacd16e
        MS-CHAP-Response = 0x
0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4ac
516373cd10bd09574a21bb8c
Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length 
37

Than you for any help, Petr Linke

More information about the Freeradius-Users mailing list