SIGSEGV in dpp_tcp_conn_status_requested

Masashi Honma masashi.honma at gmail.com
Fri Apr 1 16:16:19 PDT 2022


I could reproduce it with FreeRADIUS 3.0.25.
I sent a patch for it and CCed to you.

Regards,
Masashi Honma.

2022年3月27日(日) 21:44 Alexander Clouter <alex+hostapd at coremem.com>:
>
> Hello,
>
> The following commit (found by git bisecting) causes eapol_test to segfault for any EAP type (uncovered by our unit tests in FreeRADIUS):
> ----
> commit 33cb47cf01912dbd054300fa6c118782cba69812
> Author: Jouni Malinen <quic_jouni at quicinc.com>
> Date:   Fri Jan 28 17:28:49 2022 +0200
>
>     DPP: Fix connection result reporting when using TCP
> ----
>
> It gets through to the access-accept without problems but then explodes with a NULL deference of dpp in calling dpp_tcp_conn_status_requested:
> ----
> root at b2d619d13ea8:/usr/src/freeradius-server# gdb -args /usr/local/bin/eapol_test -c /usr/src/freeradius-server/s
> rc/tests/eap-md5.conf -p 12340 -s testing123 -n
> GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> Copyright (C) 2021 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> Type "show copying" and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <https://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
>     <http://www.gnu.org/software/gdb/documentation/>.
>
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from /usr/local/bin/eapol_test...
> (gdb) run
> Starting program: /usr/local/bin/eapol_test -c /usr/src/freeradius-server/src/tests/eap-md5.conf -p 12340 -s testing123 -n
> warning: Error disabling address space randomization: Operation not permitted
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Reading configuration file '/usr/src/freeradius-server/src/tests/eap-md5.conf'
> Line: 4 - start of a new network block
> key_mgmt: 0x4
> eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00
> identity - hexdump_ascii(len=3):
>      62 6f 62                                          bob
> password - hexdump_ascii(len=3):
>      62 6f 62                                          bob
> Priority group 0
>    id=0 ssid=''
> Authentication server 127.0.0.1:12340
> RADIUS local address: 127.0.0.1:40255
> ENGINE: Loading builtin engines
> ENGINE: Loading builtin engines
> EAPOL: SUPP_PAE entering state DISCONNECTED
> EAPOL: KEY_RX entering state NO_KEY_RECEIVE
> EAPOL: SUPP_BE entering state INITIALIZE
> EAP: EAP entering state DISABLED
> EAPOL: External notification - portValid=0
> EAPOL: External notification - portEnabled=1
> EAPOL: SUPP_PAE entering state CONNECTING
> EAPOL: SUPP_BE entering state IDLE
> EAP: EAP entering state INITIALIZE
> EAP: EAP entering state IDLE
> Sending fake EAP-Request-Identity
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_PAE entering state RESTART
> EAP: EAP entering state INITIALIZE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_PAE entering state AUTHENTICATING
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Request id=221 method=1 vendor=0 vendorMethod=0
> EAP: EAP entering state IDENTITY
> CTRL-EVENT-EAP-STARTED EAP authentication started
> EAP: Status notification: started (param=)
> EAP: EAP-Request Identity data - hexdump_ascii(len=0):
> EAP: using real identity - hexdump_ascii(len=3):
>      62 6f 62                                          bob
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> WPA: eapol_test_eapol_send(type=0 len=8)
> TX EAP -> RADIUS - hexdump(len=8): 02 dd 00 08 01 62 6f 62
> Encapsulating EAP message into a RADIUS packet
> Learned identity from EAP-Response-Identity - hexdump(len=3): 62 6f 62
> Sending RADIUS message to authentication server
> RADIUS message: code=1 (Access-Request) identifier=0 length=120
>    Attribute 1 (User-Name) length=5
>       Value: 'bob'
>    Attribute 4 (NAS-IP-Address) length=6
>       Value: 127.0.0.1
>    Attribute 31 (Calling-Station-Id) length=19
>       Value: '02-00-00-00-00-01'
>    Attribute 12 (Framed-MTU) length=6
>       Value: 1400
>    Attribute 61 (NAS-Port-Type) length=6
>       Value: 19
>    Attribute 6 (Service-Type) length=6
>       Value: 2
>    Attribute 77 (Connect-Info) length=24
>       Value: 'CONNECT 11Mbps 802.11b'
>    Attribute 79 (EAP-Message) length=10
>       Value: 02dd000801626f62
>    Attribute 80 (Message-Authenticator) length=18
>       Value: 8e460acbe70c8b48da0142d7c9a35210
> Next RADIUS client retransmit in 3 seconds
> EAPOL: SUPP_BE entering state RECEIVE
> Received 92 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=11 (Access-Challenge) identifier=0 length=92
>    Attribute 26 (Vendor-Specific) length=12
>       Value: 00007d00030600003034
>    Attribute 79 (EAP-Message) length=24
>       Value: 01de001604108c7cb6617a3e4f2a77bb2f2197b1f09b
>    Attribute 80 (Message-Authenticator) length=18
>       Value: 4f89a0937f997be735e30d607eea06f0
>    Attribute 24 (State) length=18
>       Value: 136657c013b8531e7277c9ab4159f20f
> STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>
> RADIUS packet matching with station
> decapsulated EAP packet (code=1 id=222 len=22) from RADIUS server: EAP-Request-MD5 (4)
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Request id=222 method=4 vendor=0 vendorMethod=0
> EAP: EAP entering state GET_METHOD
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
> EAP: Status notification: accept proposed method (param=MD5)
> EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
> EAP: EAP entering state METHOD
> EAP-MD5: Challenge - hexdump(len=16): 8c 7c b6 61 7a 3e 4f 2a 77 bb 2f 21 97 b1 f0 9b
> EAP-MD5: Generating Challenge Response
> EAP-MD5: Response - hexdump(len=16): 54 75 a5 8d b5 f8 48 db bf 66 0f 39 5f 07 64 69
> EAP: method process -> ignore=FALSE methodState=DONE decision=COND_SUCC eapRespData=0x55f8f524e3d0
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> WPA: eapol_test_eapol_send(type=0 len=22)
> TX EAP -> RADIUS - hexdump(len=22): 02 de 00 16 04 10 54 75 a5 8d b5 f8 48 db bf 66 0f 39 5f 07 64 69
> Encapsulating EAP message into a RADIUS packet
>   Copied RADIUS State Attribute
> Sending RADIUS message to authentication server
> RADIUS message: code=1 (Access-Request) identifier=1 length=152
>    Attribute 1 (User-Name) length=5
>       Value: 'bob'
>    Attribute 4 (NAS-IP-Address) length=6
>       Value: 127.0.0.1
>    Attribute 31 (Calling-Station-Id) length=19
>       Value: '02-00-00-00-00-01'
>    Attribute 12 (Framed-MTU) length=6
>       Value: 1400
>    Attribute 61 (NAS-Port-Type) length=6
>       Value: 19
>    Attribute 6 (Service-Type) length=6
>       Value: 2
>    Attribute 77 (Connect-Info) length=24
>       Value: 'CONNECT 11Mbps 802.11b'
>    Attribute 79 (EAP-Message) length=24
>       Value: 02de001604105475a58db5f848dbbf660f395f076469
>    Attribute 24 (State) length=18
>       Value: 136657c013b8531e7277c9ab4159f20f
>    Attribute 80 (Message-Authenticator) length=18
>       Value: 21882ee5c44762351e416f4341aafd12
> Next RADIUS client retransmit in 3 seconds
> EAPOL: SUPP_BE entering state RECEIVE
> Received 61 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=2 (Access-Accept) identifier=1 length=61
>    Attribute 26 (Vendor-Specific) length=12
>       Value: 00007d00030600003034
>    Attribute 79 (EAP-Message) length=6
>       Value: 03de0004
>    Attribute 80 (Message-Authenticator) length=18
>       Value: 4102427ec3a251a43a339fb22b6bd474
>    Attribute 1 (User-Name) length=5
>       Value: 'bob'
> STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>
> RADIUS packet matching with station
> decapsulated EAP packet (code=3 id=222 len=4) from RADIUS server: EAP Success
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: Status notification: completion (param=success)
> EAP: EAP entering state SUCCESS
> CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
> EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
> WPA: EAPOL processing complete
> Cancelling authentication timeout
> State: DISCONNECTED -> COMPLETED
>
> Program received signal SIGSEGV, Segmentation fault.
> dpp_tcp_conn_status_requested (dpp=0x0) at ../src/common/dpp_tcp.c:2246
> 2246            dl_list_for_each(conn, &dpp->tcp_init, struct dpp_connection, list) {
> (gdb) where
> #0  dpp_tcp_conn_status_requested (dpp=0x0) at ../src/common/dpp_tcp.c:2246
> #1  0x000055f8f391d434 in wpas_dpp_connected (wpa_s=0x7fff19d483b0) at dpp_supplicant.c:438
> #2  0x000055f8f39a99cc in sm_SUPP_PAE_Step (sm=0x55f8f517dbc0) at ../src/eapol_supp/eapol_supp_sm.c:417
> #3  eapol_sm_step (sm=0x55f8f517dbc0) at ../src/eapol_supp/eapol_supp_sm.c:989
> #4  0x000055f8f39aa3a5 in eapol_sm_rx_eapol (sm=0x55f8f517dbc0, src=<optimized out>,
>     buf=buf at entry=0x55f8f524dae0 "\003", len=<optimized out>) at ../src/eapol_supp/eapol_supp_sm.c:1384
> #5  0x000055f8f3a64b2e in ieee802_1x_decapsulate_radius (e=0x55f8f3b38d60 <eapol_test>) at eapol_test.c:831
> #6  ieee802_1x_receive_auth (msg=<optimized out>, req=<optimized out>, shared_secret=<optimized out>,
>     shared_secret_len=10, data=0x55f8f3b38d60 <eapol_test>) at eapol_test.c:945
> #7  0x000055f8f3a65bb6 in radius_client_receive (sock=<optimized out>, eloop_ctx=0x55f8f517d9c0, sock_ctx=0x0)
>     at ../src/radius/radius_client.c:934
> #8  0x000055f8f38f286f in eloop_sock_table_dispatch (table=table at entry=0x55f8f3b388b0 <eloop+16>,
>     fds=fds at entry=0x55f8f524d7e0) at ../src/utils/eloop.c:603
> #9  0x000055f8f38f34ad in eloop_sock_table_dispatch (fds=0x55f8f524d7e0, table=0x55f8f3b388b0 <eloop+16>)
>     at ../src/utils/eloop.c:597
> #10 eloop_run () at ../src/utils/eloop.c:1233
> #11 0x000055f8f38dba25 in main (argc=<optimized out>, argv=<optimized out>) at eapol_test.c:1515
> (gdb)
> ----
>
> This occurs for both OpenSSL 1.1.1 (Debian 'buster' 11) and 3.0.2 (Debian 'experimental').
>
> Let me know if you need anything else.
>
> Cheers
>
> --
> Alexander Clouter
>
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap



More information about the Hostap mailing list