SIGSEGV in dpp_tcp_conn_status_requested

Alexander Clouter alex+hostapd at coremem.com
Sun Mar 27 05:40:34 PDT 2022


Hello,

The following commit (found by git bisecting) causes eapol_test to segfault for any EAP type (uncovered by our unit tests in FreeRADIUS):
----
commit 33cb47cf01912dbd054300fa6c118782cba69812
Author: Jouni Malinen <quic_jouni at quicinc.com>
Date:   Fri Jan 28 17:28:49 2022 +0200

    DPP: Fix connection result reporting when using TCP
----

It gets through to the access-accept without problems but then explodes with a NULL deference of dpp in calling dpp_tcp_conn_status_requested:
----
root at b2d619d13ea8:/usr/src/freeradius-server# gdb -args /usr/local/bin/eapol_test -c /usr/src/freeradius-server/s
rc/tests/eap-md5.conf -p 12340 -s testing123 -n 
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/bin/eapol_test...
(gdb) run
Starting program: /usr/local/bin/eapol_test -c /usr/src/freeradius-server/src/tests/eap-md5.conf -p 12340 -s testing123 -n
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Reading configuration file '/usr/src/freeradius-server/src/tests/eap-md5.conf'
Line: 4 - start of a new network block
key_mgmt: 0x4
eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00
identity - hexdump_ascii(len=3):
     62 6f 62                                          bob             
password - hexdump_ascii(len=3):
     62 6f 62                                          bob             
Priority group 0
   id=0 ssid=''
Authentication server 127.0.0.1:12340
RADIUS local address: 127.0.0.1:40255
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=221 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=3):
     62 6f 62                                          bob             
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=8)
TX EAP -> RADIUS - hexdump(len=8): 02 dd 00 08 01 62 6f 62
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=3): 62 6f 62
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=120
   Attribute 1 (User-Name) length=5
      Value: 'bob'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=10
      Value: 02dd000801626f62
   Attribute 80 (Message-Authenticator) length=18
      Value: 8e460acbe70c8b48da0142d7c9a35210
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 92 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=92
   Attribute 26 (Vendor-Specific) length=12
      Value: 00007d00030600003034
   Attribute 79 (EAP-Message) length=24
      Value: 01de001604108c7cb6617a3e4f2a77bb2f2197b1f09b
   Attribute 80 (Message-Authenticator) length=18
      Value: 4f89a0937f997be735e30d607eea06f0
   Attribute 24 (State) length=18
      Value: 136657c013b8531e7277c9ab4159f20f
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec

RADIUS packet matching with station
decapsulated EAP packet (code=1 id=222 len=22) from RADIUS server: EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=222 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
EAP: Status notification: accept proposed method (param=MD5)
EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
EAP: EAP entering state METHOD
EAP-MD5: Challenge - hexdump(len=16): 8c 7c b6 61 7a 3e 4f 2a 77 bb 2f 21 97 b1 f0 9b
EAP-MD5: Generating Challenge Response
EAP-MD5: Response - hexdump(len=16): 54 75 a5 8d b5 f8 48 db bf 66 0f 39 5f 07 64 69
EAP: method process -> ignore=FALSE methodState=DONE decision=COND_SUCC eapRespData=0x55f8f524e3d0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=22)
TX EAP -> RADIUS - hexdump(len=22): 02 de 00 16 04 10 54 75 a5 8d b5 f8 48 db bf 66 0f 39 5f 07 64 69
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=152
   Attribute 1 (User-Name) length=5
      Value: 'bob'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=24
      Value: 02de001604105475a58db5f848dbbf660f395f076469
   Attribute 24 (State) length=18
      Value: 136657c013b8531e7277c9ab4159f20f
   Attribute 80 (Message-Authenticator) length=18
      Value: 21882ee5c44762351e416f4341aafd12
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 61 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=1 length=61
   Attribute 26 (Vendor-Specific) length=12
      Value: 00007d00030600003034
   Attribute 79 (EAP-Message) length=6
      Value: 03de0004
   Attribute 80 (Message-Authenticator) length=18
      Value: 4102427ec3a251a43a339fb22b6bd474
   Attribute 1 (User-Name) length=5
      Value: 'bob'
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec

RADIUS packet matching with station
decapsulated EAP packet (code=3 id=222 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED

Program received signal SIGSEGV, Segmentation fault.
dpp_tcp_conn_status_requested (dpp=0x0) at ../src/common/dpp_tcp.c:2246
2246            dl_list_for_each(conn, &dpp->tcp_init, struct dpp_connection, list) {
(gdb) where
#0  dpp_tcp_conn_status_requested (dpp=0x0) at ../src/common/dpp_tcp.c:2246
#1  0x000055f8f391d434 in wpas_dpp_connected (wpa_s=0x7fff19d483b0) at dpp_supplicant.c:438
#2  0x000055f8f39a99cc in sm_SUPP_PAE_Step (sm=0x55f8f517dbc0) at ../src/eapol_supp/eapol_supp_sm.c:417
#3  eapol_sm_step (sm=0x55f8f517dbc0) at ../src/eapol_supp/eapol_supp_sm.c:989
#4  0x000055f8f39aa3a5 in eapol_sm_rx_eapol (sm=0x55f8f517dbc0, src=<optimized out>, 
    buf=buf at entry=0x55f8f524dae0 "\003", len=<optimized out>) at ../src/eapol_supp/eapol_supp_sm.c:1384
#5  0x000055f8f3a64b2e in ieee802_1x_decapsulate_radius (e=0x55f8f3b38d60 <eapol_test>) at eapol_test.c:831
#6  ieee802_1x_receive_auth (msg=<optimized out>, req=<optimized out>, shared_secret=<optimized out>, 
    shared_secret_len=10, data=0x55f8f3b38d60 <eapol_test>) at eapol_test.c:945
#7  0x000055f8f3a65bb6 in radius_client_receive (sock=<optimized out>, eloop_ctx=0x55f8f517d9c0, sock_ctx=0x0)
    at ../src/radius/radius_client.c:934
#8  0x000055f8f38f286f in eloop_sock_table_dispatch (table=table at entry=0x55f8f3b388b0 <eloop+16>, 
    fds=fds at entry=0x55f8f524d7e0) at ../src/utils/eloop.c:603
#9  0x000055f8f38f34ad in eloop_sock_table_dispatch (fds=0x55f8f524d7e0, table=0x55f8f3b388b0 <eloop+16>)
    at ../src/utils/eloop.c:597
#10 eloop_run () at ../src/utils/eloop.c:1233
#11 0x000055f8f38dba25 in main (argc=<optimized out>, argv=<optimized out>) at eapol_test.c:1515
(gdb) 
----

This occurs for both OpenSSL 1.1.1 (Debian 'buster' 11) and 3.0.2 (Debian 'experimental').

Let me know if you need anything else.

Cheers

-- 
Alexander Clouter



More information about the Hostap mailing list