radiusd crashing on zero length option61

Chinnapaiyan, Nagamani nagamani.chinnapaiyan at viasat.com
Wed Dec 6 13:54:12 UTC 2023 

Ø    We've tried this locally and don't see any issues.

Ø

Ø    Please use the head of the v4 branch.  If it still has an issue, we will need a gdb back trace to see what's going on.



Thanks Alan. Updating to the latest 4.x branch will take some time for us as we are not able to build centos 7 image with latest 4.x code. We are working on it.



Meanwhile, I just recreated the issue with debug log and gdb trace with old code itself.

Seems hex conversion of client-identifier is causing the problem.



I will work on latest 4.x integration and see if it fixes this issue.



Line that causes problem:

  format = "DHCP-DISCOVER 61=%{hex:%{Client-Identifier}}"



Debug log:

Debug : (0)  dhcp {

Debug : (0)    Received Discover XID 00000000 from 10.43.18.154:67 to 10.43.18.32:67 via eth1

Debug : (0)      Opcode = Client-Message

Debug : (0)      Hardware-Type = Ethernet

Debug : (0)      Hardware-Address-Length = 6

Debug : (0)      Hop-Count = 1

Debug : (0)      Transaction-Id = 0

Debug : (0)      Number-of-Seconds = 0

Debug : (0)      Flags = 0

Debug : (0)      Client-IP-Address = 10.43.18.154

Debug : (0)      Your-IP-Address = 0.0.0.0

Debug : (0)      Server-IP-Address = 0.0.0.0

Debug : (0)      Gateway-IP-Address = 10.43.18.154

Debug : (0)      Client-Hardware-Address = 00:a0:bc:6c:7d:3a

Debug : (0)      Opcode = Client-Message

Debug : (0)      Hardware-Type = Ethernet

Debug : (0)      Hardware-Address-Length = 6

Debug : (0)      Hop-Count = 1

Debug : (0)      Transaction-Id = 0

Debug : (0)      Number-of-Seconds = 0

Debug : (0)      Flags = 0

Debug : (0)      Client-IP-Address = 10.43.18.154

Debug : (0)      Your-IP-Address = 0.0.0.0

Debug : (0)      Server-IP-Address = 0.0.0.0

Debug : (0)      Gateway-IP-Address = 10.43.18.154

Debug : (0)      Client-Hardware-Address = 00:a0:bc:6c:7d:3a

Debug : (0)      Message-Type = Discover

Debug : (0)      IP-Address-Lease-Time = 16777215

Debug : (0)      Vendor-Class-Identifier = 0x766961736174312e30

Debug : (0)      Client-Identifier = 0x

Debug : (0)      Parameter-Request-List = Subnet-Mask

Debug : (0)      Parameter-Request-List = Broadcast-Address

Debug : (0)      Parameter-Request-List = Time-Offset

Debug : (0)      Parameter-Request-List = Router-Address

Debug : (0)      Parameter-Request-List = Domain-Name

Debug : (0)      Parameter-Request-List = Domain-Name-Server

Debug : (0)      Parameter-Request-List = Hostname

Debug : (0)      Rapid-Commit = yes

Debug : (0)      144 = 0x0a

Debug : (0)      145 = 0x01

Debug : (0)      Relay-Agent-Information.Subscriber-Id = 00a0bc000001 at perf.test.viasat<mailto:00a0bc000001 at perf.test.viasat>

Debug : (0)      Relay-Agent-Information.Remote-Id = 0x00adbc6c7d3a

Debug : (0)      Relay-Agent-Information.Circuit-Id = 0x0000804bff66

Debug : (0)      Network-Subnet = 10.43.18.154/32

Debug : (0)      Packet-Type = Discover

Debug : (0)    Running 'recv Discover' from file /etc/raddb/sites-enabled/dhcp

Debug : (0)    recv Discover {

...

Debug : (0)      log_dhcp_discover - Using default message

Debug : (0)      log_dhcp_discover -     | Client-Identifier

Debug : (0)      log_dhcp_discover -       | %{Client-Identifier}

Debug : (0)      log_dhcp_discover -       | --> 0x

Bad talloc magic value - unknown value



talloc abort: Bad talloc magic value - unknown value

CAUGHT SIGNAL: Aborted

No panic action set



Program received signal SIGABRT, Aborted.

0x00007ffff51344fb in raise () from /lib64/libpthread.so.0



Backtrace:

(gdb) bt

#0  0x00007ffff51344fb in raise () from /lib64/libpthread.so.0

#1  0x00007ffff7b03686 in fr_fault (sig=6) at src/lib/util/debug.c:1057

#2  0x00007ffff7b036fe in _fr_talloc_fault (reason=0x7ffff6528a68 "Bad talloc magic value - unknown value")

    at src/lib/util/debug.c:1099

#3  0x00007ffff6521168 in _talloc_free () from /lib64/libtalloc.so.2

#4  0x00007ffff7b803d7 in fr_value_box_clear_value (data=0x2038ce0) at src/lib/util/value.c:3529

#5  0x00007ffff70fdead in xlat_func_hex (ctx=0x20380a0, out=0x2033170, xctx=0x7fffffffc410, request=0x202f6f0,

    args=0x20331d0) at src/lib/unlang/xlat_builtin.c:1591

#6  0x00007ffff710d13e in xlat_frame_eval_repeat (ctx=0x20380a0, out=0x2033170, child=0x7fffffffc688,

    alternate=0x20331f0, request=0x202f6f0, head=0x106daa0, in=0x2033168, env_data=0x0, result=0x20331d0)

    at src/lib/unlang/xlat_eval.c:944

#7  0x00007ffff70f3215 in unlang_xlat_repeat (p_result=0x202f8bc, request=0x202f6f0, frame=0x202fb70)

    at src/lib/unlang/xlat.c:328

#8  0x00007ffff70e318a in frame_eval (priority=0x202f8b8, result=0x202f8bc, frame=0x202fb70, request=0x202f6f0)

    at src/lib/unlang/interpret.c:520

#9  unlang_interpret (request=0x202f6f0) at src/lib/unlang/interpret.c:715

#10 0x00007ffff70e80c0 in unlang_interpret_synchronous (el=0x1c7f410, request=0x202f6f0)

    at src/lib/unlang/interpret_synchronous.c:231

#11 0x00007ffff7114f8f in xlat_eval_sync (ctx=0x202f6f0, out=0x7fffffffc930, request=0x202f6f0,

    head=0x106daa0, escape=0x7fffe86c3c25 <linelog_escape_func>, escape_ctx=0x0)

    at src/lib/unlang/xlat_eval.c:1357

#12 0x00007ffff711523f in _xlat_eval_compiled (ctx=0x202f6f0, out=0x7fffffffc988, outlen=4096,

    request=0x202f6f0, head=0x106daa0, escape=0x7fffe86c3c25 <linelog_escape_func>, escape_ctx=0x0)

    at src/lib/unlang/xlat_eval.c:1440

#13 0x00007ffff7115785 in xlat_eval_compiled (out=0x7fffffffcde0 ".", outlen=4096, request=0x202f6f0,

    xlat=0x106daa0, escape=0x7fffe86c3c25 <linelog_escape_func>, escape_ctx=0x0)

    at src/lib/unlang/xlat_eval.c:1543

#14 0x00007ffff73f97fa in _tmpl_to_type (out=0x7fffffffcdd0, buff=0x7fffffffcde0 ".", bufflen=4096,

    request=0x202f6f0, vpt=0x106d980, escape=0x7fffe86c3c25 <linelog_escape_func>, escape_ctx=0x0,

    dst_type=FR_TYPE_STRING) at src/lib/server/tmpl_eval.c:365

---Type <return> to continue, or q <return> to quit---

#15 0x00007fffe86c5939 in mod_do_linelog (p_result=0x2032f58, mctx=0x7fffffffdfc0, request=0x202f6f0)

    at src/modules/rlm_linelog/rlm_linelog.c:754

#16 0x00007ffff70ec9b1 in unlang_module (p_result=0x202f8bc, request=0x202f6f0, frame=0x202fae8)

    at src/lib/unlang/module.c:961

#17 0x00007ffff70e318a in frame_eval (priority=0x202f8b8, result=0x202f8bc, frame=0x202fae8, request=0x202f6f0)

    at src/lib/unlang/interpret.c:520

#18 unlang_interpret (request=0x202f6f0) at src/lib/unlang/interpret.c:715

#19 0x00007ffff6ea7557 in worker_run_request (start=..., worker=0x1cab060) at src/lib/io/worker.c:1329

#20 fr_worker_post_event (el=0x1c7f410, now=..., uctx=0x1cab060) at src/lib/io/worker.c:1563

#21 0x00007ffff7b29665 in fr_event_service (el=0x1c7f410) at src/lib/util/event.c:2725

#22 0x00007ffff7b29753 in fr_event_loop (el=0x1c7f410) at src/lib/util/event.c:2765

#23 0x00007ffff73d11e6 in main_loop_start () at src/lib/server/main_loop.c:214

#24 0x0000000000405f84 in main (argc=2, argv=0x7fffffffe5b8) at src/bin/radiusd.c:988

(gdb)


Thanks,
Nagamani Chinnapaiyan

More information about the Freeradius-Users mailing list