Freeradius crashes with SIGABRT

Daniel Feuchtinger daniel.feuchtinger at lrz.de
Wed Mar 6 14:40:59 CET 2019


Hi, 

our radius proxy crashes regularily since we switched from version 2 to 3.
First we ran freeradius version 3.0.15 (package from Suse Linux Enterprise 12.4),
then version 3.0.17 and 3.0.18 (compiled with rpmbuild) with no difference.

Our present configuration is like this:

radius at radius-dev1:~> uname -a
Linux radius-dev1 4.12.14-95.6-default #1 SMP Thu Jan 17 06:04:39 UTC 2019 (6af4ef8) x86_64 x86_64 x86_64 GNU/Linux

radius at radius-dev1:~> /usr/sbin/radiusd -v
radiusd: FreeRADIUS Version 3.0.18, for host x86_64-suse-linux-gnu, built on Mar  4 2019 at 00:00
FreeRADIUS Version 3.0.18

I run the radius-daemon inside of gdb with dumps enabled:

Starting program: /usr/sbin/radiusd -f -d /etc/raddb
...

*** Error in `/usr/sbin/radiusd': double free or corruption (fasttop): 0x00007fffe8009b40 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7411f)[0x7ffff60ba11f]
/lib64/libc.so.6(+0x79596)[0x7ffff60bf596]
/lib64/libc.so.6(+0x7a3db)[0x7ffff60c03db]
/usr/lib64/libtalloc.so.2(+0x300d)[0x7ffff6e7a00d]
/usr/lib64/libtalloc.so.2(+0x2d87)[0x7ffff6e79d87]
/usr/lib64/libtalloc.so.2(+0x2d87)[0x7ffff6e79d87]
/usr/sbin/radiusd(+0x37ae7)[0x55555558bae7]
/usr/sbin/radiusd(+0x3a14d)[0x55555558e14d]
/usr/lib64/freeradius/libfreeradius-radius.so(fr_event_run+0x74)[0x7ffff79928d4]
/usr/lib64/freeradius/libfreeradius-radius.so(fr_event_loop+0x2c9)[0x7ffff7992ec9]
/usr/sbin/radiusd(main+0x706)[0x555555569f06]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7ffff6066725]
/usr/sbin/radiusd(_start+0x29)[0x55555556a239]
Thread 1 "radiusd" received signal SIGABRT, Aborted.
0x00007ffff607af97 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb)                               
(gdb) bt
#0  0x00007ffff607af97 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff607c36a in __GI_abort () at abort.c:78
#2  0x00007ffff60ba124 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7ffff61b3f48 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff60bf596 in malloc_printerr (action=3, str=0x7ffff61b40a0 "double free or corruption (fasttop)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5018
#4  0x00007ffff60c03db in _int_free (av=0x7fffe8000020, p=<optimized out>, have_lock=0) at malloc.c:3872
#5  0x00007ffff6e7a00d in _tc_free_internal (tc=0x7fffe8009b40, location=0x5555555b02ea "src/main/process.c:604") at ../talloc.c:1148
#6  0x00007ffff6e79d87 in _tc_free_children_internal (location=0x5555555b02ea "src/main/process.c:604", ptr=0x7fffe801cb80, tc=0x7fffe801cb20) at ../talloc.c:1593
#7  _tc_free_internal (location=0x5555555b02ea "src/main/process.c:604", tc=0x7fffe801cb20) at ../talloc.c:1104
#8  _tc_free_children_internal (location=0x5555555b02ea "src/main/process.c:604", ptr=0x555555c80a60, tc=0x555555c80a00) at ../talloc.c:1593
#9  _tc_free_internal (tc=0x555555c80a00, location=0x5555555b02ea "src/main/process.c:604") at ../talloc.c:1104
#10 0x00007ffff6e79d87 in _tc_free_children_internal (location=0x5555555b02ea "src/main/process.c:604", ptr=0x555555c808b0, tc=0x555555c80850) at ../talloc.c:1593
#11 _tc_free_internal (location=0x5555555b02ea "src/main/process.c:604", tc=0x555555c80850) at ../talloc.c:1104
#12 _tc_free_children_internal (location=0x5555555b02ea "src/main/process.c:604", ptr=0x555555c80690, tc=0x555555c80630) at ../talloc.c:1593
#13 _tc_free_internal (tc=0x555555c80630, location=0x5555555b02ea "src/main/process.c:604") at ../talloc.c:1104
#14 0x000055555558bae7 in request_done (request=request at entry=0x555555c808b0, action=<optimized out>, action at entry=2) at src/main/process.c:899
#15 0x000055555558e14d in request_cleanup_delay (request=0x555555c808b0, action=<optimized out>) at src/main/process.c:1212
#16 0x00007ffff79928d4 in fr_event_run (el=el at entry=0x555555bd60b0, when=when at entry=0x7fffffffe350) at src/lib/event.c:309
#17 0x00007ffff7992ec9 in fr_event_loop (el=0x555555bd60b0) at src/lib/event.c:632
#18 0x0000555555569f06 in main (argc=<optimized out>, argv=<optimized out>) at src/main/radiusd.c:611

The crash occures always within a few hours,
sometimes soon after startup.
Version 2.x with a similar setup runs stable.
I didn't provide the output of -X because it
contains sensible data, but I could provide
cleaned logs and configs, if needed. 

Thanks and greetings, 
Daniel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6026 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190306/d076b07f/attachment-0001.bin>


More information about the Freeradius-Users mailing list