On Thu, Dec 09, 2010 at 11:59:07AM +0100, Ralf Hildebrandt wrote: > Package: freeradius > Version: 2.1.10+dfsg-2 > Severity: normal > > >>From our log: > > ... > Dec 9 11:46:08 dns-cbf freeradius[5716]: Login OK: [00-1A-4B-28-BD-76] (from > client 10.43.24.10 port 31016 cli 00-1A-4B-28-BD-76) > Dec 9 11:46:11 dns-cbf logger: /usr/local/scripts/updateradiususers : > reloading freeradius > Dec 9 11:46:11 dns-cbf freeradius[5716]: Received HUP signal. > Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - Re-reading configuration files > Dec 9 11:46:11 dns-cbf freeradius[5716]: HUP - loading modules > Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module "pap" > Dec 9 11:46:11 dns-cbf freeradius[5716]: Module: Reloaded module "suffix" > Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module "files" > Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module "detail" > Dec 9 11:46:12 dns-cbf freeradius[5716]: Module: Reloaded module "radutmp" > Dec 9 11:46:12 dns-cbf freeradius[5716]: Loaded virtual server <default> > Dec 9 11:46:12 dns-cbf freeradius[5716]: Login OK: [00-1B-78-12-47-83] (from > client 10.47.100.13 port 11011 cli 00-1B-78-12-47-83) > Dec 9 11:46:16 dns-cbf freeradius[5716]: Login OK: [00-0C-29-CF-40-63] (from > client 10.47.26.7 port 12048 cli 00-0C-29-CF-40-63) > Dec 9 11:46:18 dns-cbf freeradius[5716]: Login OK: [00-17-08-8C-DE-C4] (from > client 10.47.88.8 port 32021 cli 00-17-08-8C-DE-C4) > > it's crashing here > > I'm attaching the backtrace. > > Program terminated with signal 6, Aborted. [...] > #6 0x0805307d in cf_section_parse_free (cs=0xa5a9cb70, base=0xa59360d0) at > conffile.c:329 > p = 0xbfd807a8 > variables = <value optimized out> > #7 0x08053f88 in cf_section_free (cs=0xbfd80db8) at conffile.c:344 > ci = <value optimized out> > next = <value optimized out> > #8 0x08053fea in cf_section_free (cs=0xbfd80e08) at conffile.c:358 > section = 0xa5a9cb70 > ci = <value optimized out> > next = 0xa5a94f50 > #9 0x08053fea in cf_section_free (cs=0xa8568128) at conffile.c:358 > section = 0xa5aada30 > ci = <value optimized out> > next = 0xad3c6040 > #10 0x0805e47d in free_mainconfig () at mainconfig.c:983 > cc = 0xa8568120 > next = 0xa84f7590
This trace indicates a SIGABRT on a free() in conffile.c:329, which sounds most likely that we're freeing random stuff. The code says: /* * No base struct offset, data must be the pointer. * If data doesn't exist, ignore the entry, there * must be something wrong. */ if (!base) { if (!variables[i].data) { continue; } p = (char **) variables[i].data;; } else if (variables[i].data) { p = (char **) variables[i].data;; } else { p = (char **) (((char *)base) + variables[i].offset); } free(*p); That just doesn't seem safe enough when an analogous bit of parsing code in cf_section_parse() does: data = ((char *)base) + variables[i].offset; if (cf_item_parse(cs, variables[i].name, variables[i].type, data, variables[i].dflt) < 0) { goto error; } and cf_item_parse() can fail, so it stands to reason that *data can remain unwritten, and should not be free()'d. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org