[patch] pairmake_any() segfaults at conffile parse time if attr not in dictionary
John Morrissey
jwm at horde.net
Fri Jan 22 18:47:50 CET 2010
When referencing non-dictionary attrs in FreeRADIUS' config
("Vendor-6969-Attr-69", for example), pairmake() calls pairmake_any().
FreeRADIUS 2.1.8's pairmake_any() assumes a non-NULL value argument, causing
this segfault:
#0 0x00007f2ec4c99010 in strlen () from /lib/libc.so.6
#1 0x00007f2ec5ffa495 in pairmake (attribute=<value optimized out>, value=0x0, operator=9)
at valuepair.c:1358
#2 0x000000000040c8ba in cf_pairtovp (pair=0xe7d430) at conffile.c:1860
#3 0x000000000041abda in do_compile_modsingle (parent=0x0, component=2,
ci=<value optimized out>, grouptype=0, modname=0x7ffff741e128) at modcall.c:1351
#4 0x0000000000418273 in load_component_section (cs=0xe7d0f0, components=0x11a5580, comp=2)
at modules.c:873
#5 0x0000000000418828 in load_byserver (cs=0xe7cbd0) at modules.c:1072
#6 0x0000000000418b57 in virtual_servers_load (config=0xc71030) at modules.c:1200
#7 0x0000000000419518 in setup_modules (reload=<value optimized out>, config=0xc71030)
at modules.c:1467
#8 0x0000000000417926 in read_mainconfig (reload=<value optimized out>) at mainconfig.c:914
#9 0x000000000041c1d8 in main (argc=2, argv=<value optimized out>) at radiusd.c:257
This patch modifies pairmake_any() to short-circuit in the case of a NULL
value, allowing cf_pairtovp() to continue as normal, updating the type and
value fields.
--- src/lib/valuepair.c~ 2010-01-21 15:54:56.681161000 +0000
+++ src/lib/valuepair.c 2010-01-21 15:55:06.687350000 +0000
@@ -1355,6 +1355,12 @@
return NULL;
}
+ vp->operator = (operator == 0) ? T_OP_EQ : operator;
+
+ if (!value) {
+ return vp;
+ }
+
size = strlen(value + 2);
/*
@@ -1397,8 +1402,6 @@
break;
}
- vp->operator = (operator == 0) ? T_OP_EQ : operator;
-
return vp;
}
john
--
John Morrissey _o /\ ---- __o
jwm at horde.net _-< \_ / \ ---- < \,
www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__
More information about the Freeradius-Devel
mailing list