34 lines
967 B
Text
34 lines
967 B
Text
|
To: md@linux.it, mjt@corpit.ru
|
||
|
Subject: pppd-auth-hook.patch
|
||
|
Message-Id: <20040604231517.3E9AD11DC4@paltus.tls.msk.ru>
|
||
|
Date: Sat, 5 Jun 2004 03:15:17 +0400 (MSD)
|
||
|
From: mjt@corpit.ru (Michael Tokarev)
|
||
|
|
||
|
The patch below fixes pppd segfault when using auth_hook that sets
|
||
|
options for the user (use-after-free problem).
|
||
|
|
||
|
/mjt
|
||
|
|
||
|
--- ppp/pppd/auth.c.orig Mon Jun 23 18:12:04 2003
|
||
|
+++ ppp/pppd/auth.c Sat Jun 5 03:11:36 2004
|
||
|
@@ -1251,14 +1251,14 @@
|
||
|
if (pap_auth_hook) {
|
||
|
ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts);
|
||
|
if (ret >= 0) {
|
||
|
+ /* note: set_allowed_addrs() saves opts (but not addrs): don't free it! */
|
||
|
if (ret)
|
||
|
set_allowed_addrs(unit, addrs, opts);
|
||
|
- BZERO(passwd, sizeof(passwd));
|
||
|
+ else if (opts != 0)
|
||
|
+ free_wordlist(opts);
|
||
|
if (addrs != 0)
|
||
|
free_wordlist(addrs);
|
||
|
- if (opts != 0) {
|
||
|
- free_wordlist(opts);
|
||
|
- }
|
||
|
+ BZERO(passwd, sizeof(passwd));
|
||
|
return ret? UPAP_AUTHACK: UPAP_AUTHNAK;
|
||
|
}
|
||
|
}
|
||
|
|