Project Moonshot

FreeRADIUS segmentation fault after recieving key

Bug #1260828 reported by Adam Bishop on 2013-12-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Project Moonshot	Fix Released	Undecided	Unassigned

Bug Description

After recieving a key from the TIDC client, FreeRADIUS segfaults. I can reproduce this if more debugging is needed, but the backtrace looks ok.

tidc_fwd_request: Response Received (1316 bytes).
{"msg_type": "tid_response", "msg_body": {"result": "success", "comm": "apc.moonshot.ja.net", "rp_realm": "ms-idp.dev.ja.net", "target_realm": "dev.ja.net", "servers": [{"server_addr": "212.219.210.203", "server_dh": {"dh_p": "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", "dh_g": "02", "dh_pub_key": "9B5F3F800E1E682451938182141F8D12E501D5CEC55DF54C1397F1E032184A2D6B2E4E97D0211B1FC7861E9005C1BC17305D09905BE8E092223A4140F6FC0251ABD8C63FAF7148ECCBA3CC2E3636F028E6D1EBD74A5877BA921C73ED4FD7E9C7EB5CEBB420B36E70E2298B5E9DCBCC7DE21D669A62A85D1A516B1EA6E63DCF2C22255FEE46B50034A2C2ABEDC8EBC5ABE48C5DA953D4E1E65388810A746A0DC99D83D9A97F5AAFE7CD8E66DEC1A814296F58DCEA23BC27AC575A58EB5D733F74418095492714857340A2F641E15E58D71D72DA5B647A11E8D60C4F012C0828E806A470524162CE83532B8E5CEE3C0D7817394A55B21AC0B4E6A07B99FF8A1B03"}, "key_name": "key-224497"}]}}
tr_msg_decode_tidresp(): Success! result = success.
tr_msg_decode_servers(): Number of servers = 1.
construct_tls: Client key generated (key name = key-224497):
812dc13fa4c0ee025cbda10e385086f43faa9467118df13fa9587881b629e8bcbd739ad6b1ba2253ef4a2db68c10732d6db467e5c650e50eef29d3b228cbf5a6dac8dd50789bc6a227a7c5a1bccdf684b5d0b9c146a25fdf71af8d43121fa01dbb1709220f8a4bcc42ce1477b6e6005690de8f5ef5acc0233d2b6a6d579678b25a4322939e458cf9f7c3fc4f26f9c45df690524d20a7f4544b5da25976cada2b9b86d0ae9cea629bfb7cf4e7458663541651efab7441b09ee4c6d8b637b4ba22420acde520c4ecaf0213d080ae1181e1a24505ffbb44af749ed7c5484d7e1a50da9ead1a50044a5915903988635a61fa7ba30348055f5813a01ceb9714a430ab

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6db8b70 (LWP 13443)]

#0 0xb7da01c3 in cf_log_err_cs (cs=cs@entry=0x0, fmt=0x808d77c "Duplicate home server name %s.") at src/main/conffile.c:2733
        ap = 0xb6db7338 "\020\363P\b\030"
        buffer = "Duplicate home server name blah.\000\371\377\267\340\223P\b\004\000\000\000\330\354P\b\201-\301?\244\300\356\002\\\275\241\016\070P\206\364\000\000\000\000\000s۶\270r۶\304r۶\275s\232\326\b\371\377\267\000\000\000\000\214\020s-m\264g\345\027\320\004\b\357)Ӳ(\313\365\246\332\310\335P\000\000\000\000\000\000\000\000\244\177\t\b\230\177\035\b\340\230\070\b\300\361P\b\246>\a\b\020\363P\bx\247\070\b\350\227ٷ\000p۷\220ޏ^\377\377\377\377\364\357\377\267\027\320\004\b\005\000\000\000\020s۶\026\374\376\267\300\372\377\267\000\000\000\000\001\000\000\000\005\000\000\000\000\000\000\000\005\000\000\000h\302\004\bd\200\t\b\000\000\000\000\350\227ٷ\244\177\t\b\300\361P\b|.\251\267\300\361P\b\300Y\377\267\005\000\000\000`\001ڷ"
#1 0x08074234 in realms_home_server_add (home=home@entry=0x850f1c0, cs=cs@entry=0x0, dual=dual@entry=0) at src/main/realms.c:442
        parent = 0x0
        name2 = 0x850f310 "blah"
#2 0xb7a9229b in tr_response_func (inst=0x8204b88, req=0x8231ff8, resp=0x84e5460, cookie=0x845c3e0) at src/modules/rlm_realm/trustrouter_integ.c:162
        i = <optimized out>
        hs = 0x850f1c0
        server = 0x850f470
        pool = 0x84e5070
        nr = 0x0
        home_pool_name = "hp-dev.ja.net\000uffer>\000\221\266\267u\244\266\267\000\000\000\000\370s۶\002\000\000\000\004\005\000\000\250\256\247\267\a\000\000\000\226\221\266\267\n\000\000\000`\005\000\000\245\000\000\000\070\005\000\000L\000\000\000\061\063\061\066\235%÷\370sŷ)\005\000\000\000\005\000\000\300sŷ \227ͷ\340dŷ\000\000\000\000\000\000\000\000\035ȶ\267Ptŷh\000\000\000\364?\233\267\260t۶ \353O\b\301\272\230\267 \353O\b\035ȶ\267\260\255N\b\364立\364立\364立H\360O\b|\263\247\267\250t۶\260t۶$\005\000\000\260t۶\254t۶\000\000\000\000\001\005\000\000\354t۶\310t۶\274t۶\274t۶\364_ŷ\340dŷ\001\000\000\000\330t۶\r\376\275\267\000\000\000\000\000\000\000\000\r\376\275\267\000:=\037"
        pool_added = 0
        home_server_ip = {af = 2, ipaddr = {ip4addr = {s_addr = 3419593684}, ip6addr = {__in6_u = {__u6_addr8 = "\324\333\322\313@\343P\b0\225P\bUǧ\267", __u6_addr16 = {56276, 52178, 58176, 2128, 38192, 2128, 51029, 47015}, __u6_addr32 = {3419593684, 139518784,
                  139498800, 3081226069}}}}, scope = 0}
        opaque = 0x845c3e0
        num_servers = <optimized out>
#3 0xb7a78bf8 in tidc_fwd_request () from /usr/lib/i386-linux-gnu/libtr_tid.so.0
No symbol table info available.
#4 0xb7a78dac in tidc_send_request () from /usr/lib/i386-linux-gnu/libtr_tid.so.0
No symbol table info available.
#5 0xb7a924c6 in tr_query_realm (q_realm=q_realm@entry=0x845c3d1 "dev.ja.net", q_community=0x820c500 "apc.moonshot.ja.net", q_rprealm=0x820c548 "ms-idp.dev.ja.net", q_trustrouter=0x820c590 "tr1.moonshot.ja.net") at src/modules/rlm_realm/trustrouter_integ.c:221
        conn = <optimized out>
        rc = <optimized out>
        gssctx = 0x83a2e40
        cookie = 0x845c3e0
#6 0xb7a918ea in check_for_realm (returnrealm=0xb6db763c, request=<optimized out>, instance=0x820bfa8) at src/modules/rlm_realm/rlm_realm.c:172
        username = <optimized out>
        vp = <optimized out>
        realm = 0x0
        namebuf = 0x845c3d0 ""
        realmname = <optimized out>
        ptr = <optimized out>
#7 check_for_realm (instance=0x820bfa8, request=<optimized out>, returnrealm=0xb6db763c) at src/modules/rlm_realm/rlm_realm.c:68
        inst = 0x820bfa8
#8 0xb7a91a80 in mod_authorize (instance=0x820bfa8, request=0x83a29f8) at src/modules/rlm_realm/rlm_realm.c:392
        rcode = <optimized out>
        realm = 0x0
#9 0x08065a7a in call_modsingle (request=0x83a29f8, component=1, sp=<optimized out>) at src/main/modcall.c:311
        myresult = <optimized out>
        blocked = <optimized out>
#10 modcall (component=component@entry=1, c=c@entry=0x8288700, request=request@entry=0x83a29f8) at src/main/modcall.c:785
        cursor = {first = 0xb7d8da9a, found = 0x1, last = 0x73, current = 0xb7d9054c, next = 0xb6db7ae0}
        myresult = 1
        mypriority = 2
        stack = {pointer = 1, priority = {<optimized out> <repeats 32 times>}, result = {<optimized out> <repeats 32 times>}, children = {<optimized out> <repeats 32 times>}, start = {<optimized out> <repeats 32 times>}}
        parent = 0x8288700
        child = 0x8288850
        if_taken = 0
        was_if = 0
#11 0x08063749 in indexed_modcall (comp=comp@entry=1, idx=idx@entry=0, request=request@entry=0x83a29f8) at src/main/modules.c:758
        rcode = <optimized out>
        list = 0x8288700
        server = <optimized out>
#12 0x0806429b in process_authorize (autz_type=autz_type@entry=0, request=request@entry=0x83a29f8) at src/main/modules.c:1640
No locals.
#13 0x08053da0 in rad_authenticate (request=0x83a29f8) at src/main/auth.c:426
        namepair = <optimized out>
        check_item = <optimized out>
        auth_item = 0x0
        module_msg = <optimized out>
        tmp = <optimized out>
        result = <optimized out>
        autz_retry = 0 '\000'
        autz_type = 0
#14 0x0807270d in request_running (action=1, request=0x83a29f8) at src/main/process.c:1186
No locals.
#15 request_running (request=0x83a29f8, action=1) at src/main/process.c:1155
---Type <return> to continue, or q <return> to quit---
No locals.
#16 0x0806cd3a in request_handler_thread (arg=0x829e178) at src/main/threads.c:685
        self = 0x829e178
#17 0xb7cd0c39 in start_thread () from /lib/i386-linux-gnu/i686/cmov/libpthread.so.0
No symbol table info available.
#18 0xb7bcc78e in clone () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
No symbol table info available.

Revision history for this message

Sam Hartman (hartmans) wrote on 2013-12-16:

Debian packages in wheezy-proposed. Also I've reproduced the issue in our tests and this appears to fix it

Changed in moonshot:
status:	New → Fix Committed

Trish Zagarella (trishzag) on 2014-07-14

Changed in moonshot:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.