freeradius 3.0.15 memory corruption

Alan Buxey alan.buxey at gmail.com
Thu Sep 7 11:14:16 CEST 2017


radtest doesnt do EAP. your real packets are using EAP and therefore
go through a different path - into inner-tunnel etc.  use eg
wpa_supplicant 'eapol_test'
tool to actually run tests similar to a client.   whats your config
like in the authn/authz sections of inner-tunnel?  what do you have
enabled in the mschap module?
(PS should be using winbind method with 3.0.15 rather than ntlm_auth :) )

alan

On 7 September 2017 at 09:48,  <petr.linke at seznam.cz> wrote:
> Hello,
> I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth
> from samba. I use default settings, follow freeradius-active-directory-
> integration-howto. All work correctly for username length up to 5
> characters, but when I use username, where the length is more than 5
> characters, freeradius terminated due memory corruption.
> (freeradius v.3.0.15, running on debian Wheezy64).
>
>
> debug for username length more than 5 characters:
>
> ...
> (10) ntdomain: Checking for prefix before "\"
> (10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL
> (10) ntdomain: No such realm "NULL"
> (10)       [ntdomain] = noop
> (10)       update control {
> (10)         &Proxy-To-Realm := LOCAL
> (10)       } # update control = noop
> (10) eap: Peer sent EAP Response (code 2) ID 11 length 6
> (10) eap: No EAP Start, assuming it's an on-going EAP conversation
> (10)       [eap] = updated
> (10)       [logintime] = noop
> (10)       [pap] = noop
> (10)     } # authorize = updated
> (10)   Found Auth-Type = eap
> (10)   # Executing group from file /etc/freeradius/sites-enabled/inner
> (10)     authenticate {
> (10) eap: Expiring EAP session with state 0x00b1f6cf01baecde
> (10) eap: Finished EAP session with state 0x00b1f6cf01baecde
> (10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, released
> from the list
> (10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (10) eap: Calling submodule eap_mschapv2 to process data
> (10) eap: Sending EAP Success (code 3) ID 11 length 4
> (10) eap: Freeing handler
> (10)       [eap] = ok
> (10)     } # authenticate = ok
> (10)   # Executing section post-auth from file /etc/freeradius/sites-
> enabled/inner
> (10)     post-auth {
> (10)       if (1) {
> (10)       if (1)  -> TRUE
> (10)       if (1)  {
> (10)         update reply {
> (10)           User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7
> efef0171bb6]
> *** glibc detected *** freeradius: free(): invalid next size (fast): 0x
> 0000000000b61230 ***
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c]
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089]
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b3]
> /usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7
> efef2023b56]
> /usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef
> 2263c9d]
> freeradius[0x4278ad]
> freeradius[0x4272aa]
> freeradius[0x42752d]
> freeradius[0x4272aa]
> freeradius[0x42752d]
> freeradius(modcall+0x43)[0x4286a3]
> freeradius(indexed_modcall+0xa5)[0x423205]
> freeradius(rad_postauth+0x80)[0x4118a0]
> freeradius(rad_virtual_server+0x3d0)[0x4128f0]
> /usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872]
> /usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2]
> /usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb]
> /usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58]
> /usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15]
> freeradius[0x4283b2]
> freeradius[0x4272aa]
> freeradius[0x42752d]
> freeradius(modcall+0x43)[0x4286a3]
> freeradius(indexed_modcall+0xa5)[0x423205]
> freeradius(rad_authenticate+0x73d)[0x4122bd]
> freeradius[0x4368ba]
> freeradius[0x4322ad]
> freeradius(request_receive+0x337)[0x433f97]
> freeradius[0x41d5b9]
> freeradius[0x4316ad]
> /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef2036
> c59]
> freeradius(main+0x6af)[0x410dbf]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead]
> freeradius[0x411105]
> ======= Memory map: ========
> 00400000-00463000 r-xp 00000000 01:01 77414                              /
> usr/sbin/freeradius
> 00662000-00665000 r--p 00062000 01:01 77414                              /
> usr/sbin/freeradius
> 00665000-00669000 rw-p 00065000 01:01 77414                              /
> usr/sbin/freeradius
> 00669000-0066a000 rw-p 00000000 00:00 0
> 00800000-00b9b000 rw-p 00000000 00:00 0
> [heap]
> ...
>
>
> and now the same situation, username length up to 5 characters:
>
> (10) ntdomain: Checking for prefix before "\"
> (10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL
> (10) ntdomain: No such realm "NULL"
> (10)       [ntdomain] = noop
> (10)       update control {
> (10)         &Proxy-To-Realm := LOCAL
> (10)       } # update control = noop
> (10) eap: Peer sent EAP Response (code 2) ID 10 length 64
> (10) eap: No EAP Start, assuming it's an on-going EAP conversation
> (10)       [eap] = updated
> (10)       [logintime] = noop
> (10)       [pap] = noop
> (10)     } # authorize = updated
> (10)   Found Auth-Type = eap
> (10)   # Executing group from file /etc/freeradius/sites-enabled/inner
> (10)     authenticate {
> (10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e
> (10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e
> (10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, released
> from the list
> (10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (10) eap: Calling submodule eap_mschapv2 to process data
> (10) eap_mschapv2: # Executing group from file /etc/freeradius/sites-
> enabled/inner
> (10) eap_mschapv2:   authenticate {
> (10) mschap: Creating challenge hash with username: test2
> (10) mschap: Client is using MS-CHAPv2
> (10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username
> =%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} --
> challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (10) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (10) mschap:    --> --username=test2
> ...
> (12)     policy remove_reply_message_if_eap {
> (12)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (12)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (12)       else {
> (12)         [noop] = noop
> (12)       } # else = noop
> (12)     } # policy remove_reply_message_if_eap = noop
> (12)   } # post-auth = ok
> (12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253:
> 1812 length 0
> (12)   MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739
> e329efbe06bc0e1e
> (12)   MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b
> 762d516c0cc10f7f
> (12)   EAP-Message = 0x030c0004
> (12)   Message-Authenticator = 0x00000000000000000000000000000000
> (12)   User-Name = "test2"
> (12)   EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b
> 40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b
> 6241ff
> (12) Finished request
>
>
> But when I try radtest with username length more than 5 characters, no
> problem:
> ----------------------------------------------------------------------------
> -------------------------
> radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1
> SharedSecret
> Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 length
> 132
>         User-Name = "abcdef"
>         MS-CHAP-Password = "12345#W"
>         NAS-IP-Address = 10.255.246.120
>         NAS-Port = 1
>         Message-Authenticator = 0x00
>         Cleartext-Password = "12345#W"
>         MS-CHAP-Challenge = 0x838e90923dacd16e
>         MS-CHAP-Response = 0x
> 0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4ac
> 516373cd10bd09574a21bb8c
> Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length
> 37
>
> Than you for any help, Petr Linke
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list