Re: Mac OS X EAP-TLS with wrong usename kills freeradius

This is a multi-part message in MIME format.
--------------080801010508080901020109
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

Miika Räisänen wrote:
> Heres coredump gdb logfile
> http://cc.oulu.fi/~mraisane/tmp/gdb-radiusd.log

Well, that's pretty clear:

#0 0x00e97899 in cbtls_verify (ok=1, ctx=0xbff1e330) at rlm_eap_tls.c:257
....
handler = (EAP_HANDLER *) 0x1

That's not a valid pointer. It looks like the handler is being freed
somewhere.

Try the following patch, and run the server in debugging mode. It
won't fix the problem, but it might help track down where/why the server
is freeing an EAP session that's still in the middle of doing SSL.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog

--------------080801010508080901020109
Content-Type: text/plain;
name="eap.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="eap.patch"

? eap.patch
? radeapclient
Index: eap.h
================================================== =================
RCS file: /source/radiusd/src/modules/rlm_eap/eap.h,v
retrieving revision 1.27.4.1
diff -u -r1.27.4.1 eap.h
--- eap.h 6 Feb 2006 16:23:50 -0000 1.27.4.1
+++ eap.h 19 Jan 2007 16:12:50 -0000
@@ -121,6 +121,7 @@
int status;

int stage;
+ int in_ssl;
} EAP_HANDLER;

/*
Index: mem.c
================================================== =================
RCS file: /source/radiusd/src/modules/rlm_eap/mem.c,v
retrieving revision 1.14.4.2
diff -u -r1.14.4.2 mem.c
--- mem.c 9 May 2006 20:59:23 -0000 1.14.4.2
+++ mem.c 19 Jan 2007 16:12:51 -0000
@@ -139,6 +139,8 @@
handler->opaque = NULL;
handler->free_opaque = NULL;

+ if (handler->in_ssl) DEBUG2("This will crash the server!");
+
free(handler);
}

Index: libeap/tls.c
================================================== =================
RCS file: /source/radiusd/src/modules/rlm_eap/libeap/tls.c,v
retrieving revision 1.1.2.3
diff -u -r1.1.2.3 tls.c
--- libeap/tls.c 27 Apr 2006 18:53:23 -0000 1.1.2.3
+++ libeap/tls.c 19 Jan 2007 16:12:51 -0000
@@ -267,8 +267,15 @@

void session_close(tls_session_t *ssn)
{
- if(ssn->ssl)
+ if(ssn->ssl) {
+ EAP_HANDLER *handler;
+
+ handler = (EAP_HANDLER *)SSL_get_ex_data(ssn->ssl, 0);
+ if (handler) handler->in_ssl = 0;
+
SSL_free(ssn->ssl);
+ }
+
#if 0
/*
* WARNING: SSL_free seems to decrement the reference counts already,
Index: types/rlm_eap_tls/rlm_eap_tls.c
================================================== =================
RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,v
retrieving revision 1.21.4.12
diff -u -r1.21.4.12 rlm_eap_tls.c
--- types/rlm_eap_tls/rlm_eap_tls.c 29 Nov 2006 22:59:48 -0000 1.21.4.12
+++ types/rlm_eap_tls/rlm_eap_tls.c 19 Jan 2007 16:12:55 -0000
@@ -615,6 +615,7 @@
* this index should be global.
*/
SSL_set_ex_data(ssn->ssl, 0, (void *)handler);
+ handler->in_ssl = 1;
SSL_set_ex_data(ssn->ssl, 1, (void *)inst->conf);

ssn->length_flag = inst->conf->include_length;

--------------080801010508080901020109
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--------------080801010508080901020109--