On Thu, Dec 09, 2010 at 11:59:07AM +0100, Ralf Hildebrandt wrote:
> Package: freeradius
> Version: 2.1.10+dfsg-2
> Severity: normal
>
> >>From our log:
>
> ...
> Dec 9 11:46:08 dns-cbf freeradius[5716]: Login OK: [00-1A-4B-28-BD-76] (from
> client 10.43.24.10 port 31016 cli 00-1A-4B-28-BD-76)
> Dec 9 11:46:11 dns-cbf logger: /usr/local/scripts/updateradiususers :
> reloading freeradius
> Dec 9 11:46:11 dns-cbf freeradius[5716]: Received HUP signal.
> Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - Re-reading configuration files
> Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - loading modules
> Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module "pap"
> Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module "suffix"
> Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module "files"
> Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module "detail"
> Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module "radutmp"
> Dec 9 11:46:12 dns-cbf freeradius[5716]: Loaded virtual server <default>
> Dec 9 11:46:12 dns-cbf freeradius[5716]: Login OK: [00-1B-78-12-47-83] (from
> client 10.47.100.13 port 11011 cli 00-1B-78-12-47-83)
> Dec 9 11:46:16 dns-cbf freeradius[5716]: Login OK: [00-0C-29-CF-40-63] (from
> client 10.47.26.7 port 12048 cli 00-0C-29-CF-40-63)
> Dec 9 11:46:18 dns-cbf freeradius[5716]: Login OK: [00-17-08-8C-DE-C4] (from
> client 10.47.88.8 port 32021 cli 00-17-08-8C-DE-C4)
>
> it's crashing here
>
> I'm attaching the backtrace.
>
> Program terminated with signal 6, Aborted.
[...]
> #6 0x0805307d in cf_section_parse_free (cs=0xa5a9cb70, base=0xa59360d0) at
> conffile.c:329
> p = 0xbfd807a8
> variables = <value optimized out>
> #7 0x08053f88 in cf_section_free (cs=0xbfd80db8) at conffile.c:344
> ci = <value optimized out>
> next = <value optimized out>
> #8 0x08053fea in cf_section_free (cs=0xbfd80e08) at conffile.c:358
> section = 0xa5a9cb70
> ci = <value optimized out>
> next = 0xa5a94f50
> #9 0x08053fea in cf_section_free (cs=0xa8568128) at conffile.c:358
> section = 0xa5aada30
> ci = <value optimized out>
> next = 0xad3c6040
> #10 0x0805e47d in free_mainconfig () at mainconfig.c:983
> cc = 0xa8568120
> next = 0xa84f7590
This trace indicates a SIGABRT on a free() in conffile.c:329, which sounds
most likely that we're freeing random stuff. The code says:
/*
* No base struct offset, data must be the pointer.
* If data doesn't exist, ignore the entry, there
* must be something wrong.
*/
if (!base) {
if (!variables[i].data) {
continue;
}
p = (char **) variables[i].data;;
} else if (variables[i].data) {
p = (char **) variables[i].data;;
} else {
p = (char **) (((char *)base) + variables[i].offset);
}
free(*p);
That just doesn't seem safe enough when an analogous bit of parsing code in
cf_section_parse() does:
data = ((char *)base) + variables[i].offset;
if (cf_item_parse(cs, variables[i].name, variables[i].type,
data, variables[i].dflt) < 0) {
goto error;
}
and cf_item_parse() can fail, so it stands to reason that *data can
remain unwritten, and should not be free()'d.
--
2. That which causes joy or happiness.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
