Bug 1540580

Summary: Radius service crashes with "Bad talloc magic value - unknown value" when using module sql rlm_sql
Product: Red Hat Enterprise Linux 7 Reporter: Welterlen Benoit <bwelterl>
Component: freeradiusAssignee: Alex Scheel <ascheel>
Status: CLOSED CURRENTRELEASE QA Contact: Jaroslav Aster <jaster>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.4CC: bwelterl, fkrska, nikolai.kondrashov, nkinder, pkis, toneata
Target Milestone: rcKeywords: Patch, Reproducer, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1551068 1551069 (view as bug list) Environment:
Last Closed: 2018-11-14 17:33:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1551068, 1551069    
Attachments:
Description Flags
Experimental fixed SRPM for test none

Description Welterlen Benoit 2018-01-31 12:59:19 UTC 
Created attachment 1388946 [details]
Experimental fixed SRPM for test

Description of problem:
Radius service crashes with "Bad talloc magic value - unknown value" when using module sql rlm_sql because of a double free of a talloc.

Version-Release number of selected component (if applicable):
freeradius-3.0.13-8

How reproducible:
With 

Steps to Reproduce:
1.The crash happens when the radius receives an accounting packet and the sql query does not match to any existing row in the accounting table, i.e. there is not a Start entry in the accounting table.
In the code, the talloc struct is freed 2 times in the loop and the finish part.

Actual results:
crash with :
rlm_sql_mysql: Rows matched: 0  Changed: 0  Warnings: 0
(8) sql: SQL query returned: success
(8) sql: 0 record(s) updated
(8) sql: Trying next query...
(8) sql: Ignoring null query
Bad talloc magic value - unknown value

talloc abort: Bad talloc magic value - unknown value

Expected results:
no crash

Additional info:
Patch :
--- 1/src/modules/rlm_sql/rlm_sql.c     2018-01-31 10:11:36.000000000 +0100
+++ 2/src/modules/rlm_sql/rlm_sql.c     2018-01-31 10:11:50.000000000 +0100
@@ -1439,7 +1439,6 @@
                if (!*expanded) {
                        RDEBUG("Ignoring null query");
                        rcode = RLM_MODULE_NOOP;
-                       talloc_free(expanded);

                        goto finish;
                }
Comment 3 Nikolai Kondrashov 2018-02-01 13:51:13 UTC 
Thank you for the report and the fix, Welterlen! Have you talked to upstream about this issue, have they verified the fix is correct to their understanding?
Comment 6 Nikolai Kondrashov 2018-02-13 15:05:31 UTC 
Fix appears correct and is submitted upstream: https://github.com/FreeRADIUS/freeradius-server/pull/2180

Thank you, Benoit!
Comment 7 Nikolai Kondrashov 2018-02-13 15:11:23 UTC 
Fix merged upstream.
Comment 15 Jaroslav Aster 2018-04-16 10:16:38 UTC 
Hi all,

unfortunately I wasn't able to reproduce this bug. I configured radiusd to use mariadb and sent some accounting request via radclient, playing with database and so on, but nothing happen.

Maybe there is some non-standard sql query in /etc/raddb/mods-config/sql/main/mysql/queries.conf?