[RadiusNT] screwy username causes RadiusNT 2.5.162 to crash with Dr. Watson

Josh Hillman ( (no email) )
Mon, 10 May 1999 13:33:43 -0400

This morning at 7:50am, RadiusNT 2.5.162 crashed with a Dr. Watson error after a user dialed up and had garbage come through as the
username.

The raw stack dump for RadiusNT in drwtsn32.log displays something that corresponds with the syslogs also (below).

NT Server 4.0 SP 4
RadiusNT 2.5.162 (runs as service):
options that are set:
Trim name
Require secret
Allow malformed
Concurrency control
Variable login limits
Ascend max time
Password replace
SQL 6.5 SP5a
MDAC 2.1
Ascend Max (4048 in this case) OS version 7.0.4

syslog info:

May 10 07:48:01 max2.talstar.com ASCEND: slot 0 port 0, line 1, channel 9, Incoming Call, MBID 205 [MBID 205]
May 10 07:48:01 max2.talstar.com ASCEND: slot 4 port 8, Assigned to port, MBID 205 [MBID 205]
May 10 07:48:02 max2.talstar.com ASCEND: slot 4 port 8, line 1, channel 9, Call Connected, MBID 205 [MBID 205]
May 10 07:48:02 max2.talstar.com ASCEND: call 62 AN slot 4 port 8 56KR
May 10 07:50:27 max2.talstar.com Radius client timeout (code=1) for user
hR/V/hXVgiXP^RThRGVPPg\vzVPXP^RTXhRgTPXPPVT\vzV/PhRGTPPg\vzVPXPhRVPTPTPXPPVT\vzVP-
May 10 07:53:08 max2.talstar.com ASCEND: slot 4 port 8, Call Terminated [MBID 205]
May 10 07:53:08 max2.talstar.com ASCEND: call 62 CL 0K u=hR/V/hXVgiXP^RThRGVPPg\vzVPXP^RTXhRgTPXPPVT\vzV/PhRGTPPg\vzVPXP+ c=11 p=40
s=28800 r=26400

drwtsn32.log:

Application exception occurred:
App: (pid=175)
When: 5/10/1999 @ 7:50:16.2
Exception number: c0000005 (access violation)

*----> System Information <----*
Number of Processors: 2
Processor Type: x86 Family 5 Model 2 Stepping 12
Windows Version: 4.0
Current Build: 1381
Service Pack: 4
Current Type: Multiprocessor Free

*----> Task List <----*
0 Idle.exe
2 System.exe
25 smss.exe
33 CSRSS.exe
39 WINLOGON.exe
45 SERVICES.exe
48 LSASS.exe
74 SPOOLSS.exe
100 RPCSS.exe
81 msdtc.exe
145 DNS.exe
151 LLSSRV.exe
164 SQLSERVR.exe
170 PSTORES.exe
175 Radius.exe
184 LOCATOR.exe
181 SNMP.exe
193 SQLEXEC.exe
246 SRVANY.exe
155 Serv-U32.exe
241 logon.scr.exe
257 DRWTSN32.exe
0 _Total.exe

(00400000 - 00400000)
(77f60000 - 77fbc000) dll\ntdll.dbg
(77f00000 - 77f5e000) dll\kernel32.dbg
(77e70000 - 77ec4000) dll\user32.dbg
(77ed0000 - 77efc000) dll\gdi32.dbg
(77dc0000 - 77dff000) dll\advapi32.dbg
(77e10000 - 77e67000) dll\rpcrt4.dbg
(77c40000 - 77d7c000) dll\shell32.dbg
(77aa0000 - 77b14000) COMCTL32.dbg
(1f490000 - 1f4c5000) dll\ODBC32.dbg
(78000000 - 78040000)
(77d80000 - 77db2000) dll\comdlg32.dbg
(77a90000 - 77a9b000) dll\version.dbg
(779c0000 - 779c8000) dll\lz32.dbg
(776d0000 - 776d8000) dll\wsock32.dbg
(776b0000 - 776c4000) dll\ws2_32.dbg
(776a0000 - 776a7000) dll\ws2help.dbg
(1f5d0000 - 1f5e4000) dll\ODBCINT.dbg
(77bf0000 - 77bf7000) dll\rpcltc1.dbg
(41230000 - 412ab000) sqlsrv32.DBG
(41100000 - 4110c000) sqlwoa.DBG
(77800000 - 7783a000) dll\netapi32.dbg
(77840000 - 77849000) dll\NetRap.dbg
(777e0000 - 777ed000) dll\samlib.dbg
(75a80000 - 75a87000) dll\nddeapi.dbg
(77c00000 - 77c18000) drv\winspool.dbg
(1f4d0000 - 1f4e9000) dll\ODBCCP32.dbg
(77b20000 - 77bd5000) dll\ole32.dbg
(73310000 - 73318000) dbnmpntw.DBG
(77660000 - 7766f000) dll\msafd.dbg
(77690000 - 77699000) dll\wshtcpip.dbg

State Dump for Thread Id 0xae

eax=77e577d8 ebx=0012fe10 ecx=00144e78 edx=00000000 esi=00000070 edi=00000000
eip=77f67e87 esp=0012fd30 ebp=0012fd98 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246

function: ZwReadFile
77f67e7c b886000000 mov eax,0x86
77f67e81 8d542404 lea edx,[esp+0x4] ss:00f4e737=????????
77f67e85 cd2e int 2e
77f67e87 c22400 ret 0x24
77f67e8a 8bc0 mov eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0012fd98 77dd8b0e 00000070 00143320 0000021a 0012fdc8 ntdll!ZwReadFile
0012fdcc 77dd855a 00000070 00143320 0000021a 0012fe10 advapi32!RegisterServiceCtrlHandlerA
0012fe30 77dd8377 00000070 00143320 0000021a 00000000 advapi32!StartServiceCtrlDispatcherW
0012fe54 0040d194 0012ff70 77f64c4f 00dc0548 0044c410 advapi32!StartServiceCtrlDispatcherA

*----> Raw Stack Dump <----*
0012fd30 00 d3 f0 77 70 00 00 00 - 00 00 00 00 00 00 00 00 ...wp...........
0012fd40 00 00 00 00 6c fd 12 00 - 20 33 14 00 1a 02 00 00 ....l... 3......
0012fd50 00 00 00 00 00 00 00 00 - 00 00 00 00 20 33 14 00 ............ 3..
0012fd60 10 fe 12 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0012fd70 98 fd 12 00 e0 fd 12 00 - 04 00 00 00 00 00 00 00 ................
0012fd80 58 fd 12 00 00 00 00 00 - 20 fe 12 00 74 b8 f3 77 X....... ...t..w
0012fd90 40 ca f3 77 ff ff ff ff - cc fd 12 00 0e 8b dd 77 @..w...........w
0012fda0 70 00 00 00 20 33 14 00 - 1a 02 00 00 c8 fd 12 00 p... 3..........
0012fdb0 00 00 00 00 00 00 00 00 - 50 56 14 00 5c 56 14 00 ........PV..\V..
0012fdc0 70 00 00 00 e0 fd 12 00 - 00 00 00 00 30 fe 12 00 p...........0...
0012fdd0 5a 85 dd 77 70 00 00 00 - 20 33 14 00 1a 02 00 00 Z..wp... 3......
0012fde0 10 fe 12 00 20 33 14 00 - 00 00 00 00 1a 02 00 00 .... 3..........
0012fdf0 b3 00 00 00 20 33 14 00 - 00 00 00 00 01 00 00 00 .... 3..........
0012fe00 24 33 14 00 00 00 00 00 - 01 00 00 00 d8 45 14 00 $3...........E..
0012fe10 00 00 00 00 00 00 00 00 - e4 fd 12 00 04 00 00 00 ................
0012fe20 b0 ff 12 00 94 11 de 77 - d8 de de 77 ff ff ff ff .......w...w....
0012fe30 54 fe 12 00 77 83 dd 77 - 70 00 00 00 20 33 14 00 T...w..wp... 3..
0012fe40 1a 02 00 00 00 00 00 00 - a8 01 15 00 00 f0 fd 7f ................
0012fe50 70 00 00 00 80 ff 12 00 - 94 d1 40 00 70 ff 12 00 p.........@.p...
0012fe60 4f 4c f6 77 48 05 dc 00 - 10 c4 44 00 00 00 00 00 OL.wH.....D.....

State Dump for Thread Id 0xb3

eax=00145768 ebx=00000000 ecx=001457d8 edx=00000000 esi=00000064 edi=00000000
eip=77f6825b esp=012cfe50 ebp=012cfe74 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246

function: NtWaitForSingleObject
77f68250 b8c5000000 mov eax,0xc5
77f68255 8d542404 lea edx,[esp+0x4] ss:020ee857=????????
77f68259 cd2e int 2e
77f6825b c20c00 ret 0xc
77f6825e 8bc0 mov eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
012cfe74 77f04f97 00000064 ffffffff 00000000 0040d3c7 ntdll!NtWaitForSingleObject
012cffa8 77dd8cee 00000001 00145658 ffffffff 77f04f3e kernel32!WaitForSingleObject
012cffec 00000000 00000000 00000000 00000000 00000000 advapi32!RegisterServiceCtrlHandlerA
00000000 00000000 00000000 00000000 00000000 00000000 !<nosymbols>

State Dump for Thread Id 0xeb

eax=7cf0fee0 ebx=00dd6100 ecx=00dd8fb8 edx=52682d50 esi=00dd6100 edi=00dd8ffd
eip=00434161 esp=0163e16c ebp=0163ee08 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246

function: <nosymbols>
0043414b 7419 jz 00434166
0043414d 8a11 mov dl,[ecx] ds:00dd8fb8=54
0043414f 41 inc ecx
00434150 84d2 test dl,dl
00434152 7464 jz 004341b8
00434154 8817 mov [edi],dl ds:00dd8ffd=82
00434156 47 inc edi
00434157 f7c103000000 test ecx,0x3
0043415d 75ee jnz 0043414d
0043415f eb05 jmp 00434166
FAULT ->00434161 8917 mov [edi],edx ds:00dd8ffd=????????
00434163 83c704 add edi,0x4
00434166 bafffefe7e mov edx,0x7efefeff
0043416b 8b01 mov eax,[ecx] ds:00dd8fb8=67505054
0043416d 03d0 add edx,eax
0043416f 83f0ff xor eax,0xff
00434172 33c2 xor eax,edx
00434174 8b11 mov edx,[ecx] ds:00dd8fb8=67505054
00434176 83c104 add ecx,0x4
00434179 a900010181 test eax,0x81010100
0043417e 74e1 jz 00434161
00434180 84d2 test dl,dl

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0163ee08 00414f6c 0045df80 00dd8920 0163ef74 0000000b <nosymbols>

*----> Raw Stack Dump <----*
0163e16c 0b 00 00 00 11 ed 41 00 - 10 8a dd 00 c7 89 dd 00 ......A.........
0163e17c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e18c 00 00 00 00 00 00 00 00 - f0 8d dd 00 00 00 00 00 ................
0163e19c 01 00 00 00 00 00 0a 00 - 09 00 08 00 00 00 07 00 ................
0163e1ac 06 00 05 00 04 00 03 00 - 00 00 00 00 02 00 01 00 ................
0163e1bc 01 00 00 00 00 00 00 00 - 08 00 00 00 00 00 00 00 ................
0163e1cc 04 00 00 00 ff ff ff ff - 00 00 00 00 00 00 00 00 ................
0163e1dc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e1ec 00 00 00 00 00 00 00 00 - bf fc 57 30 59 ac 76 22 ..........W0Y.v"
0163e1fc 1c d2 cf e3 8f 31 86 17 - 00 00 00 00 00 00 00 00 .....1..........
0163e20c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e21c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e22c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e23c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e24c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e25c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0163e26c 00 00 00 00 00 00 00 00 - 00 00 00 00 41 75 74 68 ............Auth
0163e27c 65 6e 74 69 63 61 74 65 - 3a 20 66 72 6f 6d 20 4d enticate: from M
0163e28c 61 78 20 32 20 2d 20 49 - 6e 76 61 6c 69 64 20 55 ax 2 - Invalid U
0163e29c 73 65 72 6e 61 6d 65 0a - 00 72 6e 61 6d 65 0a 00 sername..rname..

State Dump for Thread Id 0xec

eax=00dd7004 ebx=7766b100 ecx=00459680 edx=00000000 esi=01502730 edi=000000c8
eip=77f6825b esp=0173ec64 ebp=0173ecb8 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000293

function: NtWaitForSingleObject
77f68250 b8c5000000 mov eax,0xc5
77f68255 8d542404 lea edx,[esp+0x4] ss:0255d66b=????????
77f68259 cd2e int 2e
77f6825b c20c00 ret 0xc
77f6825e 8bc0 mov eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0173ecb8 77664a12 000000c8 0000005c 00000001 00000004 ntdll!NtWaitForSingleObject
0173ede0 776b9f5e 00000020 0173ee70 00000000 00000000 msafd!<nosymbols>
0173ee30 00413feb 00000020 0173ee70 00000000 00000000 ws2_32!select

*----> Raw Stack Dump <----*
0173ec64 ce 89 66 77 c8 00 00 00 - 01 00 00 00 90 ec 73 01 ..fw..........s.
0173ec74 00 00 00 00 70 ee 73 01 - f8 ec 73 01 2a b2 7f 36 ....p.s...s.*..6
0173ec84 db 9a be 01 ff ff ff ff - ff ff ff 7f ff ff ff ff ................
0173ec94 ff ff ff 7f 00 00 00 00 - 00 00 00 00 00 01 00 00 ................
0173eca4 c3 49 66 77 5c 00 00 00 - 00 00 00 00 00 00 00 00 .Ifw\...........
0173ecb4 00 00 00 00 e0 ed 73 01 - 12 4a 66 77 c8 00 00 00 ......s..Jfw....
0173ecc4 5c 00 00 00 01 00 00 00 - 04 00 00 00 d8 37 d8 00 \............7..
0173ecd4 70 ee 73 01 08 37 d8 00 - ff ff ff ff ff ff ff 7f p.s..7..........
0173ece4 01 00 00 00 00 4b 41 00 - 5c 00 00 00 19 00 00 00 .....KA.\.......
0173ecf4 02 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0173ed04 00 00 00 00 00 00 00 00 - 7d 1f 6a 77 98 76 14 00 ........}.jw.v..
0173ed14 ad 1f 6a 77 14 46 66 77 - 5c 00 00 00 c8 00 00 00 ..jw.Ffw\.......
0173ed24 00 00 00 00 00 00 00 00 - 68 ed 73 01 1b 20 01 00 ........h.s.. ..
0173ed34 50 ed 73 01 18 00 00 00 - 4d 47 66 77 30 27 50 01 P.s.....MGfw0'P.
0173ed44 5c 00 00 00 d8 37 d8 00 - 80 61 dd 00 1c ee 73 01 \....7...a....s.
0173ed54 01 00 00 00 01 00 00 00 - 20 00 00 00 10 ef 45 00 ........ .....E.
0173ed64 58 ee 73 01 00 00 00 00 - c1 00 00 00 74 b8 f3 77 X.s.........t..w
0173ed74 20 cc f3 77 00 00 00 00 - 30 ee 73 01 e4 ec 73 01 ..w....0.s...s.
0173ed84 2c 00 00 00 03 01 00 00 - ec ec 73 01 00 00 00 00 ,.........s.....
0173ed94 44 ed 73 01 00 00 00 00 - a8 ff 73 01 60 98 66 77 D.s.......s.`.fw