Alan DeKok wrote:
> Well... I tried it, and I didn't see any errors.
> Can you check that you're really running a *stock* binary, and a
> *stock* configuration?
Attached is a recipe for how I replicated it (and another doublefree) on a
clean system.
1) started on a fresh system that had never seen freeradius before.
2) apt-get build-dep freeradius
3) apt-get install libtalloc-dev
4) git clone git://git.freeradius.org/freeradius-server
5) git branch --track release_branch_3.0.0
6) git checkout release_branch_3.0.0
7) configure --prefix=/usr/local; make; make install
8) download wpa source and build eapol_test
9) configure an eapol_peap.conf:
network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="f...@domain.site"
anonymous_identity="a...@domain.site"
password="foo"
phase1="peaplabel=0"
phase2="auth=MSCHAPv2"
}
10) Try an auth against stock config, no memory errors as expected
11) copy proxy-inner-tunnel from sites-available to sites-enabled
12) change mods-enabled/eap peap{} to virtual_server = "proxy-inner-tunnel"
13) Run the test. Get a GCC doublefree that ends as follows:
(7) # Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
(7) group post-proxy {
(7) - entering group post-proxy {...}
(7) eap : Doing post-proxy callback
(7) eap : Passing reply from proxy back into the tunnel
(7) eap : Got tunneled reply RADIUS code 11
EAP-Message = 0x010800160410ea08d4982a033fac8f7f1f0bc63b952f
Message-Authenticator = 0xbe82b369c495e2bceed47fd6f1b710d5
State = 0xc10fbed8c107ba1915db9798d8125486
Proxy-State = 0x37
(7) eap : Got tunneled Access-Challenge
(7) eap : Reply was handled
*** glibc detected *** /usr/local/sbin/radiusd: double free or corruption
(out): 0x08cb34d8 ***
15) Note that proxy-inner-tunnel.post-proxy is not being entered, scratch head
14) Note this is a different error that the talloc-detected double-use
I originally reported. To see that one proceed as follows:
16) comment out "virtual-server" option in mods-enabled/eap peap{}
17) add this clause to top of sites-enabled/default.authorize:
if (Freeradius-Proxied-To == "127.0.0.1") {
update control {
Proxy-To-Realm = "example.com"
}
}
18) Run the test. Get the talloc error originally reported:
(7) [suffix] = noop
(7) eap : Request is supposed to be proxied to Realm example.com. Not doing EAP.
(7) [eap] = noop
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
} # server default
(7) eap_peap : Got tunneled reply code 0
PEAP: Tunneled authentication will be proxied to example.com
talloc: access after free error - first free may be at src/main/util.c:230
Bad talloc magic value - access after free
Aborted
18) Note that the error happens on the first unwrapped proxy before it is
sent, so decide not to worry about anything past authorize {} in the
default server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
