+++ This bug was initially created as a clone of Bug #476512 +++ Escalated to Bugzilla from IssueTracker --- Additional comment from tao on 2008-12-15 06:45:29 EDT --- On x86_64 build, create file: # cat junk User-Name = "groundwork" NAS-IP-Address = 129.127.41.83 EAP-Code = Request EAP-Id = 210 EAP-Type-Identity = "groundwork" Message-Authenticator = 0x00 NAS-Port = 0 Run command : cat junk |radeapclient tintin.services.adelaide.edu.au auth test1 Result is a ABORT due to invalid pointer free() This event sent from IssueTracker by mpoole [Support Engineering Group] issue 245803 --- Additional comment from tao on 2008-12-15 06:45:32 EDT --- I have grabbed a core, and done a quick analysis: # ulimit -c 1000000000 # cat junk |radeapclient tintin.services.adelaide.edu.au auth test1q +++> About to send encoded packet: User-Name = "groundwork" NAS-IP-Address = 129.127.41.83 EAP-Code = Request EAP-Id = 210 EAP-Type-Identity = "groundwork" Message-Authenticator = 0x00 NAS-Port = 0 *** glibc detected *** radeapclient: free(): invalid pointer: 0x000000001e0ed72c *** ======= Backtrace: ========= /lib64/libc.so.6[0x2b850bf32634] /lib64/libc.so.6(cfree+0x8c)[0x2b850bf35c5c] /usr/lib64/libeap-1.1.3.so(eap_basic_compose+0x2a0)[0x2b850ac74a60] /usr/lib64/libeap-1.1.3.so(map_eap_types+0xe3)[0x2b850ac74b73] radeapclient[0x40311d] /lib64/libc.so.6(__libc_start_main+0xf4)[0x2b850bede8b4] radeapclient[0x401bd9] ======= Memory map: ======== 00400000-00405000 r-xp 00000000 fd:00 40730729 /usr/bin/radeapclient 00605000-00606000 rw-p 00005000 fd:00 40730729 /usr/bin/radeapclient 1e066000-1e197000 rw-p 1e066000 00:00 0 2b850aa56000-2b850aa70000 r-xp 00000000 fd:00 72056871 /lib64/ld-2.5.so 2b850aa70000-2b850aa72000 rw-p 2b850aa70000 00:00 0 2b850ac70000-2b850ac71000 r--p 0001a000 fd:00 72056871 /lib64/ld-2.5.so 2b850ac71000-2b850ac72000 rw-p 0001b000 fd:00 72056871 /lib64/ld-2.5.so 2b850ac72000-2b850ac7a000 r-xp 00000000 fd:00 41027137 /usr/lib64/libeap-1.1.3.so 2b850ac7a000-2b850ae79000 ---p 00008000 fd:00 41027137 /usr/lib64/libeap-1.1.3.so 2b850ae79000-2b850ae7a000 rw-p 00007000 fd:00 41027137 /usr/lib64/libeap-1.1.3.so 2b850ae7a000-2b850ae90000 r-xp 00000000 fd:00 41025636 /usr/lib64/libradius-1.1.3.so 2b850ae90000-2b850b08f000 ---p 00016000 fd:00 41025636 /usr/lib64/libradius-1.1.3.so 2b850b08f000-2b850b091000 rw-p 00015000 fd:00 41025636 /usr/lib64/libradius-1.1.3.so 2b850b091000-2b850b093000 rw-p 2b850b091000 00:00 0 2b850b0af000-2b850b0b8000 r-xp 00000000 fd:00 72056853 /lib64/libcrypt-2.5.so 2b850b0b8000-2b850b2b7000 ---p 00009000 fd:00 72056853 /lib64/libcrypt-2.5.so 2b850b2b7000-2b850b2b8000 r--p 00008000 fd:00 72056853 /lib64/libcrypt-2.5.so 2b850b2b8000-2b850b2b9000 rw-p 00009000 fd:00 72056853 /lib64/libcrypt-2.5.so 2b850b2b9000-2b850b2e7000 rw-p 2b850b2b9000 00:00 0 2b850b2e7000-2b850b2fc000 r-xp 00000000 fd:00 72056866 /lib64/libnsl-2.5.so 2b850b2fc000-2b850b4fb000 ---p 00015000 fd:00 72056866 /lib64/libnsl-2.5.so 2b850b4fb000-2b850b4fc000 r--p 00014000 fd:00 72056866 /lib64/libnsl-2.5.so 2b850b4fc000-2b850b4fd000 rw-p 00015000 fd:00 72056866 /lib64/libnsl-2.5.so 2b850b4fd000-2b850b500000 rw-p 2b850b4fd000 00:00 0 2b850b500000-2b850b511000 r-xp 00000000 fd:00 72056882 /lib64/libresolv-2.5.so 2b850b511000-2b850b711000 ---p 00011000 fd:00 72056882 /lib64/libresolv-2.5.so 2b850b711000-2b850b712000 r--p 00011000 fd:00 72056882 /lib64/libresolv-2.5.so 2b850b712000-2b850b713000 rw-p 00012000 fd:00 72056882 /lib64/libresolv-2.5.so 2b850b713000-2b850b715000 rw-p 2b850b713000 00:00 0 2b850b715000-2b850b72a000 r-xp 00000000 fd:00 72057005 /lib64/libpthread-2.5.so 2b850b72a000-2b850b929000 ---p 00015000 fd:00 72057005 /lib64/libpthread-2.5.so 2b850b929000-2b850b92a000 r--p 00014000 fd:00 72057005 /lib64/libpthread-2.5.so 2b850b92a000-2b850b92b000 rw-p 00015000 fd:00 72057005 /lib64/libpthread-2.5.so 2b850b92b000-2b850b92f000 rw-p 2b850b92b000 00:00 0 2b850b92f000-2b850b972000 r-xp 00000000 fd:00 72056860 /lib64/libssl.so.0.9.8b 2b850b972000-2b850bb72000 ---p 00043000 fd:00 72056860 /lib64/libssl.so.0.9.8b 2b850bb72000-2b850bb78000 rw-p 00043000 fd:00 72056860 /lib64/libssl.so.0.9.8b 2b850bb78000-2b850bb79000 rw-p 2b850bb78000 00:00 0 2b850bb79000-2b850bc9e000 r-xp 00000000 fd:00 72056847 /lib64/libcrypto.so.0.9.8b 2b850bc9e000-2b850be9e000 ---p 00125000 fd:00 72056847 /lib64/libcrypto.so.0.9.8b 2b850be9e000-2b850bebd000 rw-p 00125000 fd:00 72056847 /lib64/libcrypto.so.0.9.8b 2b850bebd000-2b850bec1000 rw-p 2b850bebd000 00:00 0 2b850bec1000-2b850c00b000 r-xp 00000000 fd:00 72056892 /lib64/libc-2.5.so 2b850c00b000-2b850c20a000 ---p 0014a000 fd:00 72056892 /lib64/libc-2.5.so 2b850c20a000-2b850c20e000 r--p 00149000 fd:00 72056892 /lib64/libc-2.5.so 2b850c20e000-2b850c20f000 rw-p 0014d000 fd:00 72056892 /lib64/libc-2.5.so 2b850c20f000-2b850c214000 rw-p 2b850c20f000 00:00 0 2b850c214000-2b850c240000 r-xp 00000000 fd:00 41026383 /usr/lib64/libgssapi_krb5.so.2.2 2b850c240000-2b850c440000 ---p 0002c000 fd:00 41026383 /usr/lib64/libgssapi_krb5.so.2.2 2b850c440000-2b850c442000 rw-p 0002c000 fd:00 41026383 /usr/lib64/libgssapi_krb5.so.2.2 2b850c442000-2b850c443000 rw-p 2b850c442000 00:00 0 2b850c443000-2b850c4d2000 r-xp 00000000 fd:00 41026441 /usr/lib64/libkrb5.so.3.3 2b850c4d2000-2b850c6d2000 ---p 0008f000 fd:00 41026441 /usr/lib64/libkrb5.so.3.3 2b850c6d2000-2b850c6d6000 rw-p 0008f000 fd:00 41026441 /usr/lib64/libkrb5.so.3.3 2b850c6d6000-2b850c6d8000 r-xp 00000000 fd:00 72057012 /lib64/libcom_err.so.2.1 2b850c6d8000-2b850c8d7000 ---p 00002000 fd:00 72057012 /lib64/libcom_err.so.2.1 2b850c8d7000-2b850c8d8000 rw-p 00001000 fd:00 72057012 /lib64/libcom_err.so.2.1 2b850c8d8000-2b850c8fc000 r-xp 00000000 fd:00 41026427 /usr/lib64/libk5crypto.so.3.1 2b850c8fc000-2b850cafb000 ---p 00024000 fd:00 41026427 /usr/lib64/libk5crypto.so.3.1 2b850cafb000-2b850cafd000 rw-p 00023000 fd:00 41026427 /usr/lib64/libk5crypto.so.3.1 2b850cafd000-2b850cafe000 rw-p 2b850cafd000 00:00 0 2b850cafe000-2b850cb00000 r-xp 00000000 fd:00 72056879 /lib64/libdl-2.5.so 2b850cb00000-2b850cd00000 ---p 00002000 fd:00 72056879 /lib64/libdl-2.5.so 2b850cd00000-2b850cd01000 r--p 00002000 fd:00 72056879 /lib64/libdl-2.5.so 2b850cd01000-2b850cd02000 rw-p 00003000 fd:00 72056879 /lib64/libdl-2.5.so 2b850cd02000-2b850cd16000 r-xp 00000000 fd:00 41025740 /usr/lib64/libz.so.1.2.3 2b850cd16000-2b850cf15000 ---p 00014000 fd:00 41025740 /usr/lib64/libz.so.1.2.3 2b850cf15000-2b850cf16000 rw-p 00013000 fd:00 41025740 /usr/lib64/libz.so.1.2.3 2b850cf16000-2b850cf1e000 r-xp 00000000 fd:00 41026446 /usr/lib64/libkrb5support.so.0.1 2b850cf1e000-2b850d11d000 ---p 00008000 fd:00 41026446 /usr/lib64/libkrb5support.so.0.1 2b850d11d000-2b850d11e000 rw-p 00007000 fd:00 41026446 /usr/lib64/libkrb5support.so.0.1 2b850d11e000-2b850d11f000 rw-p 2b850d11e000 00:00 0 2b850d11f000-2b850d121000 r-xp 00000000 fd:00 72056905 /lib64/libkeyutils-1.2.so 2b850d121000-2b850d320000 ---p 00002000 fd:00 72056905 /lib64/libkeyutils-1.2.so 2b850d320000-2b850d321000 rw-p 00001000 fd:00 72056905 /lib64/libkeyutils-1.2.so 2b850d321000-2b850d336000 r-xp 00000000 fd:00 72056869 /lib64/libselinux.so.1 2b850d336000-2b850d536000 ---p 00015000 fd:00 72056869 /lib64/libselinux.so.1 2b850d536000-2b850d538000 rw-p 00015000 fd:00 72056869 /lib64/libselinux.so.1 2b850d538000-2b850d53a000 rw-p 2b850d538000 00:00 0 2b850d53a000-2b850d575000 r-xp 00000000 fd:00 72056902 /lib64/libsepol.so.1 2b850d575000-2b850d775000 ---p 0003b000 fd:00 72056902 /lib64/libsepol.so.1 2b850d775000-2b850d776000 rw-p 0003b000 fd:00 72056902 /lib64/libsepol.so.1 2b850d776000-2b850d782000 rw-p 2b850d776000 00:00 0 2b850d782000-2b850d78c000 r-xp 00000000 fd:00 72057116 /lib64/libnss_files-2.5.so 2b850d78c000-2b850d98b000 ---p 0000a000 fd:00 72057116 /lib64/libnss_files-2.5.so 2b850d98b000-2b850d98c000 r--p 00009000 fd:00 72057116 /lib64/libnss_files-2.5.so 2b850d98c000-2b850d98d000 rw-p 0000a000 fd:00 72057116 /lib64/libnss_files-2.5.so 2b850d98d000-2b850d991000 r-xp 00000000 fd:00 72056856 /lib64/libnss_dns-2.5.so 2b850d991000-2b850db90000 ---p 00004000 fd:00 72056856 /lib64/libnss_dns-2.5.so 2b850db90000-2b850db91000 r--p 00003000 fd:00 72056856 /lib64/libnss_dns-2.5.so 2b850db91000-2b850db92000 rw-p 00004000 fd:00 72056856 /lib64/libnss_dns-2.5.so 2b850dbb0000-2b850dbbd000 r-xp 00000000 fd:00 72056889 /lib64/libgcc_s-4.1.2-20080102.so.1 2b850dbbd000-2b850ddbd000 ---p 0000d000 fd:00 72056889 /lib64/libgcc_s-4.1.2-20080102.so.1 2b850ddbd000-2b850ddbe000 rw-p 0000d000 fd:00 72056889 /lib64/libgcc_s-4.1.2-20080102.so.1 2b8510000000-2b8510021000 rw-p 2b8510000000 00:00 0 2b8510021000-2b8514000000 ---p 2b8510021000 00:00 0 7fffa003e000-7fffa0054000 rw-p 7fffa003e000 00:00 0 [stack] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso] Aborted (core dumped) mkearey assigned to issue for GSS-APAC Australia/New Zealand Support. Status set to: Waiting on Tech This event sent from IssueTracker by mpoole [Support Engineering Group] issue 245803 --- Additional comment from tao on 2008-12-15 06:45:33 EDT --- # gdb `which radeapclient` core.24108 GNU gdb Red Hat Linux (6.5-37.el5_2.2rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbols found) Using host libthread_db library "/lib64/libthread_db.so.1". Reading symbols from /usr/lib64/libeap-1.1.3.so...Reading symbols from /usr/lib/debug/usr/lib64/libeap-1.1.3.so.debug...done. done. Loaded symbols for /usr/lib64/libeap-1.1.3.so Reading symbols from /usr/lib64/libradius-1.1.3.so...Reading symbols from /usr/lib/debug/usr/lib64/libradius-1.1.3.so.debug...done. done. Loaded symbols for /usr/lib64/libradius-1.1.3.so Reading symbols from /lib64/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.5.so.debug...done. done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libnsl.so.1...Reading symbols from /usr/lib/debug/lib64/libnsl-2.5.so.debug...done. done. Loaded symbols for /lib64/libnsl.so.1 Reading symbols from /lib64/libresolv.so.2...Reading symbols from /usr/lib/debug/lib64/libresolv-2.5.so.debug...done. done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libpthread.so.0...Reading symbols from /usr/lib/debug/lib64/libpthread-2.5.so.debug...done. done. Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libssl.so.6...Reading symbols from /usr/lib/debug/lib64/libssl.so.0.9.8b.debug...done. done. Loaded symbols for /lib64/libssl.so.6 Reading symbols from /lib64/libcrypto.so.6...Reading symbols from /usr/lib/debug/lib64/libcrypto.so.0.9.8b.debug...done. done. Loaded symbols for /lib64/libcrypto.so.6 Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/lib64/libc-2.5.so.debug...done. done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib64/ld-2.5.so.debug...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib64/libgssapi_krb5.so.2...Reading symbols from /usr/lib/debug/usr/lib64/libgssapi_krb5.so.2.2.debug...done. done. Loaded symbols for /usr/lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/libkrb5.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5.so.3.3.debug...done. done. Loaded symbols for /usr/lib64/libkrb5.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /usr/lib/debug/lib64/libcom_err.so.2.1.debug...done. done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /usr/lib64/libk5crypto.so.3...Reading symbols from /usr/lib/debug/usr/lib64/libk5crypto.so.3.1.debug...done. done. Loaded symbols for /usr/lib64/libk5crypto.so.3 Reading symbols from /lib64/libdl.so.2...Reading symbols from /usr/lib/debug/lib64/libdl-2.5.so.debug...done. done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /usr/lib64/libz.so.1...Reading symbols from /usr/lib/debug/usr/lib64/libz.so.1.2.3.debug...done. done. Loaded symbols for /usr/lib64/libz.so.1 Reading symbols from /usr/lib64/libkrb5support.so.0...Reading symbols from /usr/lib/debug/usr/lib64/libkrb5support.so.0.1.debug...done. done. Loaded symbols for /usr/lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libselinux.so.1...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libsepol.so.1...done. Loaded symbols for /lib64/libsepol.so.1 Reading symbols from /lib64/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.5.so.debug...done. done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /lib64/libnss_dns.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_dns-2.5.so.debug...done. done. Loaded symbols for /lib64/libnss_dns.so.2 Reading symbols from /lib64/libgcc_s.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.1.2-20080102.so.1.debug...done. done. Loaded symbols for /lib64/libgcc_s.so.1 Core was generated by `radeapclient tintin.services.adelaide.edu.au auth test1'. Program terminated with signal 6, Aborted. #0 0x00002b2535662155 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) up #1 0x00002b2535663bf0 in *__GI_abort () at abort.c:88 88 raise (SIGABRT); (gdb) up #2 0x00002b253569c38b in __libc_message (do_abort=2, fmt=0x2b2535750d68 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 170 abort (); (gdb) up #3 0x00002b25356a3634 in _int_free (av=0x2b25359809a0, mem=<value optimized out>) at malloc.c:5768 5768 __libc_message (action & 2, (gdb) up #4 0x00002b25356a6c5c in *__GI___libc_free (mem=0x6) at malloc.c:3545 3545 _int_free(ar_ptr, mem); (gdb) up #5 0x00002b25343e5a60 in eap_basic_compose (packet=0x4dd1510, reply=0x7fff768e0140) at eapcommon.c:219 219 free(reply->type.data); (gdb) list 214 * Zero length/No typedata is supported as long as 215 * type is defined 216 */ 217 if (reply->type.data && reply->type.length > 0) { 218 memcpy(&hdr->data[1], reply->type.data, reply->type.length); 219 free(reply->type.data); <------- HERE !!! 220 reply->type.data = reply->packet + EAP_HEADER_LEN + 1/*EAPtype*/; 221 } 222 } 223 (gdb) Summary edited. This event sent from IssueTracker by mpoole [Support Engineering Group] issue 245803 --- Additional comment from tao on 2008-12-15 06:45:35 EDT --- One up again : (gdb) up #6 0x00002b25343e5b73 in map_eap_types (req=0x4dd1510) at eapcommon.c:389 389 eap_basic_compose(req, &ep); (gdb) list 384 ep.code = eapcode; 385 ep.id = id; 386 ep.type.type = eap_type; 387 ep.type.length = vp->length; 388 ep.type.data = vp->strvalue;<--- Assigning ptr to ptr 389 eap_basic_compose(req, &ep); 390 } 391 } 392 393 /* (gdb) Patch freeradius-1.0.1-rlm_eapcommon.patch attached seems to resolve the problem. This event sent from IssueTracker by mpoole [Support Engineering Group] issue 245803 --- Additional comment from mpoole on 2008-12-15 06:48:40 EDT --- Created an attachment (id=326933) patch for free bug This patch appears to correspond to the changes made in current (but abandoned) V1.1 upstream. No return value checking, but meh.
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1678.html