Re: Mac OS X EAP-TLS with wrong usename kills freeradius when check_cert_cn is set

Fri, 19 Jan 2007 08:36:44 -0800 

Miika Räisänen wrote:
> Heres coredump gdb logfile
> http://cc.oulu.fi/~mraisane/tmp/gdb-radiusd.log

  Well, that's pretty clear:

#0  0x00e97899 in cbtls_verify (ok=1, ctx=0xbff1e330) at rlm_eap_tls.c:257
...
        handler = (EAP_HANDLER *) 0x1

  That's not a valid pointer.  It looks like the handler is being freed
somewhere.

  Try the following patch, and run the server in debugging mode.  It
won't fix the problem, but it might help track down where/why the server
is freeing an EAP session that's still in the middle of doing SSL.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

? eap.patch
? radeapclient
Index: eap.h
===================================================================
RCS file: /source/radiusd/src/modules/rlm_eap/eap.h,v
retrieving revision 1.27.4.1
diff -u -r1.27.4.1 eap.h
--- eap.h       6 Feb 2006 16:23:50 -0000       1.27.4.1
+++ eap.h       19 Jan 2007 16:12:50 -0000
@@ -121,6 +121,7 @@
        int             status;
 
        int             stage;
+       int             in_ssl;
 } EAP_HANDLER;
 
 /*
Index: mem.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_eap/mem.c,v
retrieving revision 1.14.4.2
diff -u -r1.14.4.2 mem.c
--- mem.c       9 May 2006 20:59:23 -0000       1.14.4.2
+++ mem.c       19 Jan 2007 16:12:51 -0000
@@ -139,6 +139,8 @@
        handler->opaque = NULL;
        handler->free_opaque = NULL;
 
+       if (handler->in_ssl) DEBUG2("This will crash the server!");
+
        free(handler);
 }
 
Index: libeap/tls.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_eap/libeap/tls.c,v
retrieving revision 1.1.2.3
diff -u -r1.1.2.3 tls.c
--- libeap/tls.c        27 Apr 2006 18:53:23 -0000      1.1.2.3
+++ libeap/tls.c        19 Jan 2007 16:12:51 -0000
@@ -267,8 +267,15 @@
 
 void session_close(tls_session_t *ssn)
 {
-       if(ssn->ssl)
+       if(ssn->ssl) {
+               EAP_HANDLER *handler;
+
+               handler = (EAP_HANDLER *)SSL_get_ex_data(ssn->ssl, 0);
+               if (handler) handler->in_ssl = 0;
+
                SSL_free(ssn->ssl);
+       }
+
 #if 0
 /*
  * WARNING: SSL_free seems to decrement the reference counts already,
Index: types/rlm_eap_tls/rlm_eap_tls.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,v
retrieving revision 1.21.4.12
diff -u -r1.21.4.12 rlm_eap_tls.c
--- types/rlm_eap_tls/rlm_eap_tls.c     29 Nov 2006 22:59:48 -0000      
1.21.4.12
+++ types/rlm_eap_tls/rlm_eap_tls.c     19 Jan 2007 16:12:55 -0000
@@ -615,6 +615,7 @@
         *      this index should be global.
         */
        SSL_set_ex_data(ssn->ssl, 0, (void *)handler);
+       handler->in_ssl = 1;
        SSL_set_ex_data(ssn->ssl, 1, (void *)inst->conf);
 
        ssn->length_flag = inst->conf->include_length;

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to