Bug#606450: freeradius crashes on SIGHUP
On Mon, Nov 28, 2011 at 01:48:18PM +0100, Alan T DeKok wrote: Josip Rodin wrote: That just doesn't seem safe enough when an analogous bit of parsing code in cf_section_parse() does: .. and cf_item_parse() can fail, so it stands to reason that *data can remain unwritten, and should not be free()'d. The solution is to write to data. The reason is that the parse routing may parse *many* configuration entries correctly, before running into an error. To avoid a memory leak, the pointers should be initialized before they are used. I've committed a change to the v2.1.x branch which fixes this. This didn't seem to end up in 2.1.12, why is that? -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606450: freeradius crashes on SIGHUP
Josip Rodin wrote: To avoid a memory leak, the pointers should be initialized before they are used. I've committed a change to the v2.1.x branch which fixes this. This didn't seem to end up in 2.1.12, why is that? 2.1.12 came out before the patch was done. The patch went in on November 28, and 2.1.12 came out in September. See commit 378f2517357f11f9900c3799c6a469ee2fda7bdf Alan DeKok. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606450: freeradius crashes on SIGHUP
On Thu, Dec 09, 2010 at 11:59:07AM +0100, Ralf Hildebrandt wrote:
Package: freeradius
Version: 2.1.10+dfsg-2
Severity: normal
From our log:
...
Dec 9 11:46:08 dns-cbf freeradius[5716]: Login OK: [00-1A-4B-28-BD-76] (from
client 10.43.24.10 port 31016 cli 00-1A-4B-28-BD-76)
Dec 9 11:46:11 dns-cbf logger: /usr/local/scripts/updateradiususers :
reloading freeradius
Dec 9 11:46:11 dns-cbf freeradius[5716]: Received HUP signal.
Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - Re-reading configuration files
Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - loading modules
Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module pap
Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module suffix
Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module files
Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module detail
Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module radutmp
Dec 9 11:46:12 dns-cbf freeradius[5716]: Loaded virtual server default
Dec 9 11:46:12 dns-cbf freeradius[5716]: Login OK: [00-1B-78-12-47-83] (from
client 10.47.100.13 port 11011 cli 00-1B-78-12-47-83)
Dec 9 11:46:16 dns-cbf freeradius[5716]: Login OK: [00-0C-29-CF-40-63] (from
client 10.47.26.7 port 12048 cli 00-0C-29-CF-40-63)
Dec 9 11:46:18 dns-cbf freeradius[5716]: Login OK: [00-17-08-8C-DE-C4] (from
client 10.47.88.8 port 32021 cli 00-17-08-8C-DE-C4)
it's crashing here
I'm attaching the backtrace.
Program terminated with signal 6, Aborted.
[...]
#6 0x0805307d in cf_section_parse_free (cs=0xa5a9cb70, base=0xa59360d0) at
conffile.c:329
p = 0xbfd807a8
variables = value optimized out
#7 0x08053f88 in cf_section_free (cs=0xbfd80db8) at conffile.c:344
ci = value optimized out
next = value optimized out
#8 0x08053fea in cf_section_free (cs=0xbfd80e08) at conffile.c:358
section = 0xa5a9cb70
ci = value optimized out
next = 0xa5a94f50
#9 0x08053fea in cf_section_free (cs=0xa8568128) at conffile.c:358
section = 0xa5aada30
ci = value optimized out
next = 0xad3c6040
#10 0x0805e47d in free_mainconfig () at mainconfig.c:983
cc = 0xa8568120
next = 0xa84f7590
This trace indicates a SIGABRT on a free() in conffile.c:329, which sounds
most likely that we're freeing random stuff. The code says:
/*
* No base struct offset, data must be the pointer.
* If data doesn't exist, ignore the entry, there
* must be something wrong.
*/
if (!base) {
if (!variables[i].data) {
continue;
}
p = (char **) variables[i].data;;
} else if (variables[i].data) {
p = (char **) variables[i].data;;
} else {
p = (char **) (((char *)base) + variables[i].offset);
}
free(*p);
That just doesn't seem safe enough when an analogous bit of parsing code in
cf_section_parse() does:
data = ((char *)base) + variables[i].offset;
if (cf_item_parse(cs, variables[i].name, variables[i].type,
data, variables[i].dflt) 0) {
goto error;
}
and cf_item_parse() can fail, so it stands to reason that *data can
remain unwritten, and should not be free()'d.
--
2. That which causes joy or happiness.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606450: freeradius crashes on SIGHUP
Josip Rodin wrote: That just doesn't seem safe enough when an analogous bit of parsing code in cf_section_parse() does: .. and cf_item_parse() can fail, so it stands to reason that *data can remain unwritten, and should not be free()'d. The solution is to write to data. The reason is that the parse routing may parse *many* configuration entries correctly, before running into an error. To avoid a memory leak, the pointers should be initialized before they are used. I've committed a change to the v2.1.x branch which fixes this. Alan DeKok. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606450: freeradius crashes on SIGHUP
Package: freeradius Version: 2.1.10+dfsg-2 Severity: normal From our log: ... Dec 9 11:46:08 dns-cbf freeradius[5716]: Login OK: [00-1A-4B-28-BD-76] (from client 10.43.24.10 port 31016 cli 00-1A-4B-28-BD-76) Dec 9 11:46:11 dns-cbf logger: /usr/local/scripts/updateradiususers : reloading freeradius Dec 9 11:46:11 dns-cbf freeradius[5716]: Received HUP signal. Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - Re-reading configuration files Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - loading modules Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module pap Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module suffix Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module files Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module detail Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module radutmp Dec 9 11:46:12 dns-cbf freeradius[5716]: Loaded virtual server default Dec 9 11:46:12 dns-cbf freeradius[5716]: Login OK: [00-1B-78-12-47-83] (from client 10.47.100.13 port 11011 cli 00-1B-78-12-47-83) Dec 9 11:46:16 dns-cbf freeradius[5716]: Login OK: [00-0C-29-CF-40-63] (from client 10.47.26.7 port 12048 cli 00-0C-29-CF-40-63) Dec 9 11:46:18 dns-cbf freeradius[5716]: Login OK: [00-17-08-8C-DE-C4] (from client 10.47.88.8 port 32021 cli 00-17-08-8C-DE-C4) it's crashing here Dec 9 11:46:21 dns-cbf logger: /usr/local/scripts/updateradiusclients : restarting freeradius Dec 9 11:46:21 dns-cbf freeradius[5716]: Exiting normally. Dec 9 11:46:28 dns-cbf freeradius[32306]: Core dumps are enabled. Dec 9 11:46:28 dns-cbf freeradius[32306]: Loaded virtual server default Dec 9 11:46:28 dns-cbf freeradius[32306]: Ready to process requests. Dec 9 11:46:28 dns-cbf freeradius[32306]: Login OK: [00-60-B0-16-7F-55] (from client 10.47.104.9 port 12038 cli 00-60-B0-16-7F-55) I'm attaching the backtrace. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686-bigmem (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages freeradius depends on: ii adduser 3.112+nmu2 add and remove users and groups ii ca-certificates 20090814+nmu2Common CA certificates ii freeradius-common 2.1.10+dfsg-2FreeRADIUS common files ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libfreeradius2 2.1.10+dfsg-2FreeRADIUS shared library ii libgdbm31.8.3-9 GNU dbm database routines (runtime ii libltdl72.2.6b-2 A system independent dlopen wrappe ii libpam0g1.1.1-6.1Pluggable Authentication Modules l ii libperl5.10 5.10.1-16shared Perl library ii libpython2.62.6.6-7 Shared Python runtime library (ver ii libssl0.9.8 0.9.8o-4 SSL shared libraries ii lsb-base3.2-26 Linux Standard Base 3.2 init scrip ii ssl-cert1.0.27 simple debconf wrapper for OpenSSL ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages freeradius recommends: ii freeradius-utils 2.1.10+dfsg-2 FreeRADIUS client utilities Versions of packages freeradius suggests: pn freeradius-krb5 none (no description available) pn freeradius-ldap none (no description available) pn freeradius-mysql none (no description available) pn freeradius-postgresql none (no description available) -- Configuration Files: /etc/freeradius/clients.conf changed [not included] /etc/freeradius/users changed [not included] /etc/init.d/freeradius changed [not included] /etc/logrotate.d/freeradius changed [not included] -- no debconf information GNU gdb (GDB) 7.2-debian Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as i486-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/freeradius...Reading symbols from /usr/lib/debug/usr/sbin/freeradius...done. done. [New Thread 5716] [New Thread 5723] [New Thread 5722] [New Thread 5725] [New Thread 5724] [New Thread 5726] Reading symbols from /usr/lib/freeradius/libfreeradius-radius-2.1.10.so...Reading symbols from /usr/lib/debug/usr/lib/freeradius/libfreeradius-radius-2.1.10.so...done. done. Loaded symbols for /usr/lib/freeradius/libfreeradius-radius-2.1.10.so Reading symbols from /lib/i686/cmov/libnsl.so.1...(no debugging symbols
