SIGSEGV in dpp_tcp_conn_status_requested
Alexander Clouter
alex+hostapd at coremem.com
Sun Mar 27 05:40:34 PDT 2022
Hello,
The following commit (found by git bisecting) causes eapol_test to segfault for any EAP type (uncovered by our unit tests in FreeRADIUS):
----
commit 33cb47cf01912dbd054300fa6c118782cba69812
Author: Jouni Malinen <quic_jouni at quicinc.com>
Date: Fri Jan 28 17:28:49 2022 +0200
DPP: Fix connection result reporting when using TCP
----
It gets through to the access-accept without problems but then explodes with a NULL deference of dpp in calling dpp_tcp_conn_status_requested:
----
root at b2d619d13ea8:/usr/src/freeradius-server# gdb -args /usr/local/bin/eapol_test -c /usr/src/freeradius-server/s
rc/tests/eap-md5.conf -p 12340 -s testing123 -n
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/bin/eapol_test...
(gdb) run
Starting program: /usr/local/bin/eapol_test -c /usr/src/freeradius-server/src/tests/eap-md5.conf -p 12340 -s testing123 -n
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Reading configuration file '/usr/src/freeradius-server/src/tests/eap-md5.conf'
Line: 4 - start of a new network block
key_mgmt: 0x4
eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00
identity - hexdump_ascii(len=3):
62 6f 62 bob
password - hexdump_ascii(len=3):
62 6f 62 bob
Priority group 0
id=0 ssid=''
Authentication server 127.0.0.1:12340
RADIUS local address: 127.0.0.1:40255
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=221 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=3):
62 6f 62 bob
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=8)
TX EAP -> RADIUS - hexdump(len=8): 02 dd 00 08 01 62 6f 62
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=3): 62 6f 62
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=120
Attribute 1 (User-Name) length=5
Value: 'bob'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=10
Value: 02dd000801626f62
Attribute 80 (Message-Authenticator) length=18
Value: 8e460acbe70c8b48da0142d7c9a35210
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 92 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=92
Attribute 26 (Vendor-Specific) length=12
Value: 00007d00030600003034
Attribute 79 (EAP-Message) length=24
Value: 01de001604108c7cb6617a3e4f2a77bb2f2197b1f09b
Attribute 80 (Message-Authenticator) length=18
Value: 4f89a0937f997be735e30d607eea06f0
Attribute 24 (State) length=18
Value: 136657c013b8531e7277c9ab4159f20f
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=222 len=22) from RADIUS server: EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=222 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
EAP: Status notification: accept proposed method (param=MD5)
EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
EAP: EAP entering state METHOD
EAP-MD5: Challenge - hexdump(len=16): 8c 7c b6 61 7a 3e 4f 2a 77 bb 2f 21 97 b1 f0 9b
EAP-MD5: Generating Challenge Response
EAP-MD5: Response - hexdump(len=16): 54 75 a5 8d b5 f8 48 db bf 66 0f 39 5f 07 64 69
EAP: method process -> ignore=FALSE methodState=DONE decision=COND_SUCC eapRespData=0x55f8f524e3d0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=22)
TX EAP -> RADIUS - hexdump(len=22): 02 de 00 16 04 10 54 75 a5 8d b5 f8 48 db bf 66 0f 39 5f 07 64 69
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=152
Attribute 1 (User-Name) length=5
Value: 'bob'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=24
Value: 02de001604105475a58db5f848dbbf660f395f076469
Attribute 24 (State) length=18
Value: 136657c013b8531e7277c9ab4159f20f
Attribute 80 (Message-Authenticator) length=18
Value: 21882ee5c44762351e416f4341aafd12
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 61 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=1 length=61
Attribute 26 (Vendor-Specific) length=12
Value: 00007d00030600003034
Attribute 79 (EAP-Message) length=6
Value: 03de0004
Attribute 80 (Message-Authenticator) length=18
Value: 4102427ec3a251a43a339fb22b6bd474
Attribute 1 (User-Name) length=5
Value: 'bob'
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=3 id=222 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED
Program received signal SIGSEGV, Segmentation fault.
dpp_tcp_conn_status_requested (dpp=0x0) at ../src/common/dpp_tcp.c:2246
2246 dl_list_for_each(conn, &dpp->tcp_init, struct dpp_connection, list) {
(gdb) where
#0 dpp_tcp_conn_status_requested (dpp=0x0) at ../src/common/dpp_tcp.c:2246
#1 0x000055f8f391d434 in wpas_dpp_connected (wpa_s=0x7fff19d483b0) at dpp_supplicant.c:438
#2 0x000055f8f39a99cc in sm_SUPP_PAE_Step (sm=0x55f8f517dbc0) at ../src/eapol_supp/eapol_supp_sm.c:417
#3 eapol_sm_step (sm=0x55f8f517dbc0) at ../src/eapol_supp/eapol_supp_sm.c:989
#4 0x000055f8f39aa3a5 in eapol_sm_rx_eapol (sm=0x55f8f517dbc0, src=<optimized out>,
buf=buf at entry=0x55f8f524dae0 "\003", len=<optimized out>) at ../src/eapol_supp/eapol_supp_sm.c:1384
#5 0x000055f8f3a64b2e in ieee802_1x_decapsulate_radius (e=0x55f8f3b38d60 <eapol_test>) at eapol_test.c:831
#6 ieee802_1x_receive_auth (msg=<optimized out>, req=<optimized out>, shared_secret=<optimized out>,
shared_secret_len=10, data=0x55f8f3b38d60 <eapol_test>) at eapol_test.c:945
#7 0x000055f8f3a65bb6 in radius_client_receive (sock=<optimized out>, eloop_ctx=0x55f8f517d9c0, sock_ctx=0x0)
at ../src/radius/radius_client.c:934
#8 0x000055f8f38f286f in eloop_sock_table_dispatch (table=table at entry=0x55f8f3b388b0 <eloop+16>,
fds=fds at entry=0x55f8f524d7e0) at ../src/utils/eloop.c:603
#9 0x000055f8f38f34ad in eloop_sock_table_dispatch (fds=0x55f8f524d7e0, table=0x55f8f3b388b0 <eloop+16>)
at ../src/utils/eloop.c:597
#10 eloop_run () at ../src/utils/eloop.c:1233
#11 0x000055f8f38dba25 in main (argc=<optimized out>, argv=<optimized out>) at eapol_test.c:1515
(gdb)
----
This occurs for both OpenSSL 1.1.1 (Debian 'buster' 11) and 3.0.2 (Debian 'experimental').
Let me know if you need anything else.
Cheers
--
Alexander Clouter
More information about the Hostap
mailing list