Bug 1427829

Summary: Stack overflow when passing bare IPv6 to radclient
Product: Red Hat Enterprise Linux 7 Reporter: Nikolai Kondrashov <nikolai.kondrashov>
Component: freeradiusAssignee: Nikolai Kondrashov <nikolai.kondrashov>
Status: CLOSED ERRATA QA Contact: Jaroslav Aster <jaster>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dpal, jaster, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 20:38:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikolai Kondrashov 2017-03-01 10:50:44 UTC 
Description of problem:

When radclient is supplied with a bare IPv6 address as the server to send packets to, it overflows a buffer, triggering stack smashing protection.

Version-Release number of selected component (if applicable):
freeradius-utils-3.0.12-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
Execute "radclient 2620:52:0:1370:5054:ff:fe3b:ac50 auth testing123"

Actual results:

    *** stack smashing detected ***: radclient terminated
    ======= Backtrace: =========
    /lib64/libc.so.6(__fortify_fail+0x37)[0x7f5b36fdf047]
    /lib64/libc.so.6(__fortify_fail+0x0)[0x7f5b36fdf010]
    /usr/lib64/freeradius/libfreeradius-radius.so(fr_nonblock+0x0)[0x7f5b38a4a230]
    radclient(main+0xdc2)[0x7f5b38e99672]
    /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f5b36ef1b35]
    radclient(+0x3ac6)[0x7f5b38e99ac6]
    ======= Memory map: ========
    7f5b3549b000-7f5b354b0000 r-xp 00000000 fd:00 68474233                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7f5b354b0000-7f5b356af000 ---p 00015000 fd:00 68474233                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7f5b356af000-7f5b356b0000 r--p 00014000 fd:00 68474233                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7f5b356b0000-7f5b356b1000 rw-p 00015000 fd:00 68474233                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7f5b356b1000-7f5b356d5000 r-xp 00000000 fd:00 67290263                   /usr/lib64/libselinux.so.1
    7f5b356d5000-7f5b358d4000 ---p 00024000 fd:00 67290263                   /usr/lib64/libselinux.so.1
    7f5b358d4000-7f5b358d5000 r--p 00023000 fd:00 67290263                   /usr/lib64/libselinux.so.1
    7f5b358d5000-7f5b358d6000 rw-p 00024000 fd:00 67290263                   /usr/lib64/libselinux.so.1
    7f5b358d6000-7f5b358d8000 rw-p 00000000 00:00 0 
    7f5b358d8000-7f5b358da000 r-xp 00000000 fd:00 67150848                   /usr/lib64/libfreebl3.so
    7f5b358da000-7f5b35ad9000 ---p 00002000 fd:00 67150848                   /usr/lib64/libfreebl3.so
    7f5b35ad9000-7f5b35ada000 r--p 00001000 fd:00 67150848                   /usr/lib64/libfreebl3.so
    7f5b35ada000-7f5b35adb000 rw-p 00002000 fd:00 67150848                   /usr/lib64/libfreebl3.so
    7f5b35adb000-7f5b35ade000 r-xp 00000000 fd:00 67389531                   /usr/lib64/libkeyutils.so.1.5
    7f5b35ade000-7f5b35cdd000 ---p 00003000 fd:00 67389531                   /usr/lib64/libkeyutils.so.1.5
    7f5b35cdd000-7f5b35cde000 r--p 00002000 fd:00 67389531                   /usr/lib64/libkeyutils.so.1.5
    7f5b35cde000-7f5b35cdf000 rw-p 00003000 fd:00 67389531                   /usr/lib64/libkeyutils.so.1.5
    7f5b35cdf000-7f5b35cec000 r-xp 00000000 fd:00 67833575                   /usr/lib64/libkrb5support.so.0.1
    7f5b35cec000-7f5b35eec000 ---p 0000d000 fd:00 67833575                   /usr/lib64/libkrb5support.so.0.1
    7f5b35eec000-7f5b35eed000 r--p 0000d000 fd:00 67833575                   /usr/lib64/libkrb5support.so.0.1
    7f5b35eed000-7f5b35eee000 rw-p 0000e000 fd:00 67833575                   /usr/lib64/libkrb5support.so.0.1
    7f5b35eee000-7f5b35f13000 r-xp 00000000 fd:00 67321083                   /usr/lib64/libtinfo.so.5.9
    7f5b35f13000-7f5b36113000 ---p 00025000 fd:00 67321083                   /usr/lib64/libtinfo.so.5.9
    7f5b36113000-7f5b36117000 r--p 00025000 fd:00 67321083                   /usr/lib64/libtinfo.so.5.9
    7f5b36117000-7f5b36118000 rw-p 00029000 fd:00 67321083                   /usr/lib64/libtinfo.so.5.9
    7f5b36118000-7f5b36120000 r-xp 00000000 fd:00 67152145                   /usr/lib64/libcrypt-2.17.so
    7f5b36120000-7f5b3631f000 ---p 00008000 fd:00 67152145                   /usr/lib64/libcrypt-2.17.so
    7f5b3631f000-7f5b36320000 r--p 00007000 fd:00 67152145                   /usr/lib64/libcrypt-2.17.so
    7f5b36320000-7f5b36321000 rw-p 00008000 fd:00 67152145                   /usr/lib64/libcrypt-2.17.so
    7f5b36321000-7f5b3634f000 rw-p 00000000 00:00 0 
    7f5b3634f000-7f5b3637e000 r-xp 00000000 fd:00 67571024                   /usr/lib64/libk5crypto.so.3.1
    7f5b3637e000-7f5b3657d000 ---p 0002f000 fd:00 67571024                   /usr/lib64/libk5crypto.so.3.1
    7f5b3657d000-7f5b3657f000 r--p 0002e000 fd:00 67571024                   /usr/lib64/libk5crypto.so.3.1
    7f5b3657f000-7f5b36580000 rw-p 00030000 fd:00 67571024                   /usr/lib64/libk5crypto.so.3.1
    7f5b36580000-7f5b36581000 rw-p 00000000 00:00 0 
    7f5b36581000-7f5b36584000 r-xp 00000000 fd:00 67338434                   /usr/lib64/libcom_err.so.2.1
    7f5b36584000-7f5b36783000 ---p 00003000 fd:00 67338434                   /usr/lib64/libcom_err.so.2.1
    7f5b36783000-7f5b36784000 r--p 00002000 fd:00 67338434                   /usr/lib64/libcom_err.so.2.1
    7f5b36784000-7f5b36785000 rw-p 00003000 fd:00 67338434                   /usr/lib64/libcom_err.so.2.1
    7f5b36785000-7f5b3685b000 r-xp 00000000 fd:00 67571034                   /usr/lib64/libkrb5.so.3.3
    7f5b3685b000-7f5b36a5b000 ---p 000d6000 fd:00 67571034                   /usr/lib64/libkrb5.so.3.3
    7f5b36a5b000-7f5b36a69000 r--p 000d6000 fd:00 67571034                   /usr/lib64/libkrb5.so.3.3
    7f5b36a69000-7f5b36a6c000 rw-p 000e4000 fd:00 67571034                   /usr/lib64/libkrb5.so.3.3
    7f5b36a6c000-7f5b36ab7000 r-xp 00000000 fd:00 67571020                   /usr/lib64/libgssapi_krb5.so.2.2
    7f5b36ab7000-7f5b36cb7000 ---p 0004b000 fd:00 67571020                   /usr/lib64/libgssapi_krb5.so.2.2
    7f5b36cb7000-7f5b36cb8000 r--p 0004b000 fd:00 67571020                   /usr/lib64/libgssapi_krb5.so.2.2
    7f5b36cb8000-7f5b36cba000 rw-p 0004c000 fd:00 67571020                   /usr/lib64/libgssapi_krb5.so.2.2
    7f5b36cba000-7f5b36ccf000 r-xp 00000000 fd:00 67290266                   /usr/lib64/libz.so.1.2.7
    7f5b36ccf000-7f5b36ece000 ---p 00015000 fd:00 67290266                   /usr/lib64/libz.so.1.2.7
    7f5b36ece000-7f5b36ecf000 r--p 00014000 fd:00 67290266                   /usr/lib64/libz.so.1.2.7
    7f5b36ecf000-7f5b36ed0000 rw-p 00015000 fd:00 67290266                   /usr/lib64/libz.so.1.2.7
    7f5b36ed0000-7f5b37086000 r-xp 00000000 fd:00 67152139                   /usr/lib64/libc-2.17.so
    7f5b37086000-7f5b37286000 ---p 001b6000 fd:00 67152139                   /usr/lib64/libc-2.17.so
    7f5b37286000-7f5b3728a000 r--p 001b6000 fd:00 67152139                   /usr/lib64/libc-2.17.so
    7f5b3728a000-7f5b3728c000 rw-p 001ba000 fd:00 67152139                   /usr/lib64/libc-2.17.so
    7f5b3728c000-7f5b37291000 rw-p 00000000 00:00 0 
    7f5b37291000-7f5b372cf000 r-xp 00000000 fd:00 67695428                   /usr/lib64/libpcap.so.1.5.3
    7f5b372cf000-7f5b374ce000 ---p 0003e000 fd:00 67695428                   /usr/lib64/libpcap.so.1.5.3
    7f5b374ce000-7f5b374d0000 r--p 0003d000 fd:00 67695428                   /usr/lib64/libpcap.so.1.5.3
    7f5b374d0000-7f5b374d1000 rw-p 0003f000 fd:00 67695428                   /usr/lib64/libpcap.so.1.5.3
    7f5b374d1000-7f5b374d2000 rw-p 00000000 00:00 0 
    7f5b374d2000-7f5b3750e000 r-xp 00000000 fd:00 67321297                   /usr/lib64/libreadline.so.6.2
    7f5b3750e000-7f5b3770e000 ---p 0003c000 fd:00 67321297                   /usr/lib64/libreadline.so.6.2
    7f5b3770e000-7f5b37710000 r--p 0003c000 fd:00 67321297                   /usr/lib64/libreadline.so.6.2
    7f5b37710000-7f5b37716000 rw-p 0003e000 fd:00 67321297                   /usr/lib64/libreadline.so.6.2
    7f5b37716000-7f5b37718000 rw-p 00000000 00:00 0 
    7f5b37718000-7f5b3772f000 r-xp 00000000 fd:00 68474251                   /usr/lib64/libpthread-2.17.so
    Aborted (core dumped)


Expected results:

    radclient: IP string contains trailing garbage after port delimiter

Additional info:

Note that passing bare IPv6 addresses to radclient is not supported. They need
to be wrapped in square brackets. So the above command should be this instead:

    radclient [2620:52:0:1370:5054:ff:fe3b:ac50] auth testing123

The issue was fixed upstream in the following commits:

    https://github.com/FreeRADIUS/freeradius-server/commit/ed979270941e3fe97d3025bbed516b138da7552a
    https://github.com/FreeRADIUS/freeradius-server/commit/3ecddb52bf4016aeb74d58367455f8769c19a194

Also, radclient manpage was updated to reflect the requirement of square
brackets:

    https://github.com/FreeRADIUS/freeradius-server/commit/b9eea764a3e920b216f531b58292909dfc5f264f
Comment 5 errata-xmlrpc 2017-08-01 20:38:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1954