Null pointer deref

Daniel O'Connor darius at
Mon May 1 07:50:16 CEST 2006

On Monday 01 May 2006 12:45, Alan DeKok wrote:
> "Daniel O'Connor" <darius at> wrote:
> > The strcmp's around lines 1630 and 1659 can be done on a NULL pointer (eg
> > mainconfig.do_lower_user) which causes a crash.
>   I presume you mean in src/main/radiusd.c ?

Whoops, yes, sorry :)

>   I'm curious as to how a NULL pointer got into those entries in the
> "mainconfig" data structure.  The server is set up so that if there's
> no entry for those configs in radiusd.conf, then a default value of
> "no" is used.  See src/main/mainconfig.c.

Yes, I was pretty suprised too :(

>   I've never seen this bug before, so my first guess is that you're
> not running a stock server, and that the changes don't initialize
> those entries.

I built the server from the ports tree in FreeBSD. I also tried the OpenWRT
package (as the end goal is for WPA auth) and it seems to have exactly the
same problem (well, it segfaults with the same config file).

There are a few patches in the FreeBSD port but none affect that code.

I put a watch on mainconfig.do_lower_user and it doesn't get touched..
Hmm.. digs a bit further..
It appears that in read_radius_conf_file conf_read returns NULL so the
cf_section_parse call is never made.

My radiusd.conf had rundir instead of run_dir causing the parser to barf 
I guess.

Hmm, there's a trap for young players :)

Daniel O'Connor software and network engineer
for Genesis Software -
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the Freeradius-Devel mailing list