-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
freeradius-3.0.20-1.el7_9.2
-
No
-
Moderate
-
rhel-se-idm
-
2
-
False
-
False
-
No
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Description of problem:
radiusd segfault with null home_server in process_proxy_reply
Version-Release number of selected component (if applicable):
freeradius-3.0.20-9.module+el8.5.0+12103+998f1584.x86_64
How reproducible:
Very often(more than 10 times per day)
Steps to Reproduce:
Actual results:
radiusd dies with segfault
Expected results:
radiusd doesn't die
Additional info:
(gdb) bt full
#0 process_proxy_reply (request=request@entry=0x55c10c100a30, reply=reply@entry=0x0) at src/main/process.c:2483
rcode = <optimized out>
post_proxy_type = <optimized out>
vp = <optimized out>
old_server = 0x55c10c040250 "default"
#1 0x000055c109e5303a in request_running (action=1, request=0x55c10c100a30) at src/main/process.c:1648
_FUNCTION_ = "request_running"
#2 request_running (request=0x55c10c100a30, action=<optimized out>) at src/main/process.c:1599
_FUNCTION_ = "request_running"
#3 0x000055c109e4b482 in request_handler_thread (arg=0x55c10c0de120) at src/main/threads.c:826
self = 0x55c10c0de120
#4 0x00007fb7557d717a in start_thread (arg=<optimized out>) at pthread_create.c:479
ret = <optimized out>
pd = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf =
,
mask_was_saved = 0}}, priv = {pad =
, data =
{prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#5 0x00007fb75508edc3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
(gdb) f 0
#0 process_proxy_reply (request=request@entry=0x55c10c100a30, reply=reply@entry=0x0) at src/main/process.c:2483
2483 if (request->home_server->server) {
(gdb) p *request
$1 = {number = 13940, timestamp = 1638855784, data = 0x0, listener = 0x55c10c0dedc0, client = 0x55c10c06bbd0, packet = 0x55c10c1007b0, username = 0x55c10c100ce0, password = 0x0,
reply = 0x55c10c100be0, config = 0x7fb738003a00, state_ctx = 0x55c10c0efa90, state = 0x0, proxy_listener = 0x0, proxy = 0x0, proxy_reply = 0x0, home_server = 0x0, home_pool = 0x55c10c05cd30,
process = 0x55c109e52f20 <request_running>, response_delay =
, timer_action = FR_ACTION_TIMER, ev = 0x55c10c10cde0, handle = 0x55c109e2c840 <rad_accounting>,
rcode = RLM_MODULE_UPDATED, module = 0x55c109e6e823 "", component = 0x55c109e6b84c "<core>", delay = 499999, master_state = REQUEST_ACTIVE, child_state = REQUEST_RUNNING,
child_pid = 140425153820416, root = 0x55c10a08b0e0 <main_config>, simul_max = 0, simul_count = 0, simul_mpp = 0, priority = RAD_LISTEN_ACCT, in_request_hash = true, in_proxy_hash = false,
num_proxied_requests = 0, num_proxied_responses = 0, server = 0x55c10c040250 "default", parent = 0x0, log =
,
options = 2, coa = 0x0, num_coa_requests = 0}
(gdb)
(gdb) disassemble process_proxy_reply
...
0x000055c109e4c655 <+261>: je 0x55c109e4c898 <process_proxy_reply+840>
0x000055c109e4c65b <+267>: nopl 0x0(%rax,%rax,1)
0x000055c109e4c660 <+272>: mov 0x78(%rbx),%rax # %rax: addr of home_server
0x000055c109e4c664 <+276>: mov 0x110(%rbx),%r14
=> 0x000055c109e4c66b <+283>: mov 0x18(%rax),%rax
...
(gdb) info all-registers
rax 0x0 0
rbx 0x55c10c100a30 94287619426864 # %rbx
rcx 0x1 1
rdx 0x7fb756c50f59 140425411497817
rsi 0xa3 163
rdi 0x0 0
rbp 0x3 0x3
rsp 0x7fb747692e60 0x7fb747692e60
...
rip 0x55c109e4c66b 0x55c109e4c66b <process_proxy_reply+283>
...
(gdb) p/x 0x78+0x55c10c100a30
$8 = 0x55c10c100aa8
(gdb) x 0x55c10c100aa8
0x55c10c100aa8: 0x00000000
(gdb) p ((struct rad_request *)0x55c10c100a30).home_server
$4 = (home_server_t *) 0x0
(gdb) p &((struct rad_request *)0x55c10c100a30).home_server
$5 = (home_server_t **) 0x55c10c100aa8
(gdb)
I suspect the following.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/ChangeLog
FreeRADIUS 3.0.25 Thu 07 Oct 2021 12:00:00 EDT urgency=medium
Fix segfault when proxying to zombie home server
- links to
-
RHBA-2025:148162
Major: freeradius bug fix and enhancement update