1 byte leak ?
Hi,
I'm *sorry* that I am not good at English
because I'm Japanese.
I found memory leak(?) of 1 byte when PEAP authentication, by valgrind.
I tried fllowing patch for rlm_eap.
it look like work well.
is it corret way?
diff -urN ../freeradius-1.1.7/src/modules/rlm_eap/eap.c
./src/modules/rlm_eap/eap.c
--- ../freeradius-1.1.7/src/modules/rlm_eap/eap.c 2007-04-08
07:18:34.0 +0900
+++ ./src/modules/rlm_eap/eap.c 2007-10-10 02:44:20.0 +0900
@@ -421,6 +421,11 @@
*/
if (reply-type.data reply-type.length 0) {
memcpy(hdr-data[1], reply-type.data,
reply-type.length);
+
+ // 2007/10/09 workaround for memory leak.
+ DEBUG2( rlm_eap: in %s() in %s Freeing
reply-type.data 0x%x, __func__, __FILE__, (unsigned
int)reply-type.data);
+ reply-type.bNeedFreeData = 0;
+
free(reply-type.data);
reply-type.data = reply-packet + EAP_HEADER_LEN +
1/*EAPtype*/;
}
diff -urN ../freeradius-1.1.7/src/modules/rlm_eap/libeap/eap_tls.c
./src/modules/rlm_eap/libeap/eap_tls.c
--- ../freeradius-1.1.7/src/modules/rlm_eap/libeap/eap_tls.c2007-04-08
06:27:19.0 +0900
+++ ./src/modules/rlm_eap/libeap/eap_tls.c 2007-10-09
22:39:14.0 +0900
@@ -808,6 +808,10 @@
return 0;
}
+ // 2007/10/09 workaround for memory leak.
+ DEBUG2( rlm_eap: in %s() Malloc(%d) for
eap_ds-request-type.data 0x%x, __func__, (reply-length - TLS_HEADER_LEN
+ 1), (unsigned int)eap_ds-request-type.data);
+ eap_ds-request-type.bNeedFreeData = 1;
+
/* EAPTLS Header length is excluded while computing EAP typelen */
eap_ds-request-type.length = reply-length - TLS_HEADER_LEN;
diff -urN ../freeradius-1.1.7/src/modules/rlm_eap/libeap/eap_types.h
./src/modules/rlm_eap/libeap/eap_types.h
--- ../freeradius-1.1.7/src/modules/rlm_eap/libeap/eap_types.h 2006-05-19
23:19:15.0 +0900
+++ ./src/modules/rlm_eap/libeap/eap_types.h2007-10-09
20:51:14.0 +0900
@@ -88,6 +88,9 @@
unsigned char type;
unsigned intlength;
unsigned char *data;
+
+ // 2007/10/09 workaround for memory leak.
+ unsigned intbNeedFreeData;
} eaptype_t;
/*
diff -urN ../freeradius-1.1.7/src/modules/rlm_eap/libeap/eapcommon.c
./src/modules/rlm_eap/libeap/eapcommon.c
--- ../freeradius-1.1.7/src/modules/rlm_eap/libeap/eapcommon.c 2007-03-05
23:34:55.0 +0900
+++ ./src/modules/rlm_eap/libeap/eapcommon.c2007-10-10
02:43:30.0 +0900
@@ -216,6 +216,11 @@
*/
if (reply-type.data reply-type.length 0) {
memcpy(hdr-data[1], reply-type.data,
reply-type.length);
+
+ // 2007/10/09 workaround for memory leak.
+ DEBUG2( rlm_eap: in %s() in %s Freeing
reply-type.data 0x%x, __func__, __FILE__, (unsigned
int)reply-type.data);
+ reply-type.bNeedFreeData = 0;
+
free(reply-type.data);
reply-type.data = reply-packet + EAP_HEADER_LEN +
1/*EAPtype*/;
}
@@ -386,6 +391,11 @@
ep.type.type = eap_type;
ep.type.length = vp-length;
ep.type.data = malloc(vp-length);
+
+ // 2007/10/09 workaround for memory leak.
+ DEBUG2( rlm_eap: in %s() Malloc(%d) for ep.type.data
0x%x, __func__, vp-length, (unsigned int)ep.type.data);
+ ep.type.bNeedFreeData = 1;
+
memcpy(ep.type.data,vp-strvalue, vp-length);
eap_basic_compose(req, ep);
}
diff -urN ../freeradius-1.1.7/src/modules/rlm_eap/mem.c
./src/modules/rlm_eap/mem.c
--- ../freeradius-1.1.7/src/modules/rlm_eap/mem.c 2007-02-10
00:42:03.0 +0900
+++ ./src/modules/rlm_eap/mem.c 2007-10-09 22:40:28.0 +0900
@@ -54,6 +54,14 @@
* so we do not free it but we NULL it
free(eap_packet-type.data);
*/
+
+ // 2007/10/09 workaround for memory leak.
+ if(eap_packet-type.bNeedFreeData) {
+ DEBUG2( rlm_eap: in %s() Freeing
eap-packet-type.data 0x%x, __func__, (unsigned
int)eap_packet-type.data);
+ eap_packet-type.bNeedFreeData = 0;
+ free(eap_packet-type.data);
+ }
+
eap_packet-type.data = NULL;
}
--
New Design Yahoo! JAPAN 2008/01/01
http://pr.mail.yahoo.co.jp/newdesign/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: attr_rewrite
radiusd.conf:
attr_rewrite User-Name {
...
new_attribute = yes
This means create a NEW attribute, not transform the existing one.
And append = no :)
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through Syntax
Reynolds, Walter wrote: In looking at the list and several examples from various places I noticed that Fall-Through = xxx has been listed in different ways. I have seen Yes yes and 1 What are the options and where would I have been able to find the logic in the src so I could have looked myself? Thanks. Fall-Through is defined as a server-internal integer attribute. It's defined in the dictionaries (dictionary.freeradius.internal): ATTRIBUTE Fall-Through500 integer VALUE Fall-ThroughNo 0 VALUE Fall-ThroughYes 1 The standard text-AVP parsing machinery therefore parses (case-insensitive I believe) yes - 1 and no - 0 HTH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fall-Through Syntax
In looking at the list and several examples from various places I noticed that Fall-Through = xxx has been listed in different ways. I have seen Yes yes and 1 What are the options and where would I have been able to find the logic in the src so I could have looked myself? Thanks. --- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_log. accounting and locking
All, The rlm_sql_log module only logs a single query; unlike the main sql module which (for accounting) will do an update or insert if not found. How, if at all, are people merging the rows? Triggers? Post-processing? Also, I doubt it will be an issue, but just wanted to check; is the flock() of the file likely to cause any contention issues? Is there an easy way of hashing the NAS-IP-Address to writing to 26 files named sql-log-[a-z] and asking radsqlrelay to replay them all? Thoughts welcome. Regards, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_rewrite
Good afternoon! I have a problem. The user will be authorized with a login
in the form of [EMAIL PROTECTED], it is necessary, that freeradius transformed
its login [EMAIL PROTECTED] And so for all users. How to make? TRIED:
radiusd.conf:
attr_rewrite User-Name {
attribute = User-Name
searchin = packet
searchfor = realm1
replacewith = realm2
ignore_case = yes
new_attribute = yes
max_matches = 1
append = yes
}
authorize {
Autz-Type unknown {
files
}
User-Name
preprocess
chap
mschap
suffix
files
sqlauth
}
in radiusd -X:
User-Name = [EMAIL PROTECTED]
User-Password = EBLAImXtaUidLnSa
NAS-IP-Address = 10.173.65.200
rad_lowerpair: User-Name now '[EMAIL PROTECTED]'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: 'realm2'
rlm_attr_rewrite: Added attribute User-Name with value 'realm2'
modcall[authorize]: module User-Name returns ok for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm realm1 for User-Name = [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] 1
rlm_realm: Found realm realm1
rlm_realm: Proxying request from user 123456 to realm realm1
rlm_realm: Adding Realm = 123456
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
users: Matched entry DEFAULT at line 3
modcall[authorize]: module files returns ok for request 0
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sqlauth): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
Сысоев Дмитрий Александрович
Сетевой администратор
Отдел информационных технологий
ЗАО ''Ульяновская Сотовая Связь''
Тел.:+7 (901) 947 17 31
Моб.:+7 (901) 947 02 71
Факс:+7 (8422) 43 51 99
Logo.jpg-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_log. accounting and locking
Phil Mayers wrote: The rlm_sql_log module only logs a single query; unlike the main sql module which (for accounting) will do an update or insert if not found. It's difficult to do that without interacting directly with the DB. Using the 'detail file and radrelay functionality may be safer. How, if at all, are people merging the rows? Triggers? Post-processing? Also, I doubt it will be an issue, but just wanted to check; is the flock() of the file likely to cause any contention issues? Is there an easy way of hashing the NAS-IP-Address to writing to 26 files named sql-log-[a-z] and asking radsqlrelay to replay them all? No idea... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need patch to inst-session_tail clear ?
Hi, I'm *sorry* that I am not good at English because I'm Japanese I think that it is need following patch for eaplist_find() in rlm_eap/mem.c, FreeRADIUS 1.1.7. if no patch, when session_head == NULL and session_tail != NULL, add handler to TAIL in next eaplist_add(). How do you think about it? diff -urN ../freeradius-1.1.7/src/modules/rlm_eap/mem.c ./src/modules/rlm_eap/mem.c --- ../freeradius-1.1.7/src/modules/rlm_eap/mem.c 2007-02-10 00:42:03.0 +0900 +++ ./src/modules/rlm_eap/mem.c 2007-12-07 12:32:23.0 +0900 @@ -301,6 +301,9 @@ rbtree_delete(inst-session_tree, node); inst-session_head = handler-next; + //--- 2007/12/07 added --- + if(!inst-session_head) inst-session_tail = NULL; + // if (handler-next) handler-next-prev = NULL; eap_handler_free(handler); } -- New Design Yahoo! JAPAN 2008/01/01 http://pr.mail.yahoo.co.jp/newdesign/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie question
Hi all, I am new to freeradius and I want to know if it's possible to perform the following. I provide for multiple people access to the internet via a proxy server with authentication (htpasswd), server is FreeBSD. I want to deny them access after 1 month. I was wandering if freeradius can work with the htpasswd password file, and then deny them access after 1 month. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius compile problem
Dave Gibelli wrote: Hi I am having problems compiling with eap module. Here is the section from config.log showing what I think is the problem. I have the latest OpenSSL and Freeradius 1.1.7 Any ideas? configure:20584: gcc -o conftest -g -O2 -D_REENTRANT It's not a compile problem. The configure tests are there so that the server can find out if your system has the packages to *start* the compilation. In this case, your system fails to meet the minimum prerequisites to build all of the modules in EAP. -D_POSIX_PTHREAD_SEMANTICS conftest.c -lssl -L/usr/local/ssl/lib -lnsl -lresolv -lpthread 5 /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_clear': ssl_lib.c:(.text+0x28): undefined reference to `ERR_put_error' You do not have the crypto libraries installed. Alan DeKok, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius compile problem
Hi I am having problems compiling with eap module. Here is the section from config.log showing what I think is the problem. I have the latest OpenSSL and Freeradius 1.1.7 Any ideas? configure:20584: gcc -o conftest -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS conftest.c -lssl -L/usr/local/ssl/lib -lnsl -lresolv -lpthread 5 /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_clear': ssl_lib.c:(.text+0x28): undefined reference to `ERR_put_error' ssl_lib.c:(.text+0x13a): undefined reference to `BUF_MEM_free' /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_new': ssl_lib.c:(.text+0x1ba): undefined reference to `CRYPTO_malloc' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question
http://www.freeradius.org/radiusd/doc/rlm_passwd Deny access after one month - Expiration attribute. Ivan Kalik Kalik Informatika ISP Dana 7/12/2007, Monah Baki [EMAIL PROTECTED] piše: Hi all, I am new to freeradius and I want to know if it's possible to perform the following. I provide for multiple people access to the internet via a proxy server with authentication (htpasswd), server is FreeBSD. I want to deny them access after 1 month. I was wandering if freeradius can work with the htpasswd password file, and then deny them access after 1 month. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring LDAP for query ONLY...
Eric Martell wrote:
Hi Phil,
I need some help again. Is there a way in the ldap
module we can specify to return only ONE result for
search filter. In my ldap tree when search with a
filter ((uid=test1)(phone=1231313128)) I get multiple
results.
And in the log I get message as search failed. I just
want to return whatever the first result.
rlm_ldap: performing search in dc=eng,dc=com, with
filter ((uid=test1)(phone=1231313128))
rlm_ldap: object not found or got ambiguous search
result
rlm_ldap: search failed
Please help.
I don't think you can. You'll need to use a different (more specific?)
search filter that gives unique results (and anyway, matching a random
choice of N returned is not sensible - how do you know the one that
matches even has a password attribute or is even a valid user object?)
Thanks and Regards,
Eric.
--- Eric Martell [EMAIL PROTECTED] wrote:
Thanks so much Phil. I am using freeradius-1.0.4
I am going to install the latest version and will
try
your suggestion.
Thanks and Regards.
Eric.
--- Phil Mayers [EMAIL PROTECTED] wrote:
Eric Martell wrote:
Hi,
Is it possible to altogether avoid
authenticate
section and just do ldap lookups in the
authorize
section?
authorize {
ldap {
notfound = reject
}
}
The problem is in the authenticate section,
radius
gets the userDN from the authorize and tries to
bind
ldap with password which we don't have.
I also tried in users file
Ldap-UserDN :=
`cn=Manager,dc=eng,dc=com/answer2`
Assuming you are using a recent version of
FreeRadius, you can do one of
the following:
modules {
ldap {
...
set_auth_type = no
}
}
authorize {
preprocess
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
Be a better pen pal.
Text or chat with friends inside Yahoo! Mail. See
how. http://overview.mail.yahoo.com/
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_log. accounting and locking
Phil Mayers wrote: The rlm_sql_log module only logs a single query; unlike the main sql module which (for accounting) will do an update or insert if not found. How, if at all, are people merging the rows? Triggers? Post-processing? Indeed rlm_sql_log executes a single SQL statement. However you could use more complex statements than the config example. For example you have the INSERT ... ON DUPLICATE KEY UPDATE syntax since MySQL 4.1 or stored procedures since MySQL 5.0. Also, I doubt it will be an issue, but just wanted to check; is the flock() of the file likely to cause any contention issues? Is there an easy way of hashing the NAS-IP-Address to writing to 26 files named sql-log-[a-z] and asking radsqlrelay to replay them all? Don't worry too much about the lock. rlm_sql_log is locking the sql-relay file and radsqlrelay is locking sql-relay.work therefore the lock should never block. It's only there to catch a corner case where the file is renamed before rlm_sql_log finishes writing. I note rlm_sql_log and radsqlrelay are interacting exactly the same way as rlm_detail and radrelay do. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
