To: md@linux.it, mjt@corpit.ru Subject: pppd-auth-hook.patch Message-Id: <20040604231517.3E9AD11DC4@paltus.tls.msk.ru> Date: Sat, 5 Jun 2004 03:15:17 +0400 (MSD) From: mjt@corpit.ru (Michael Tokarev) The patch below fixes pppd segfault when using auth_hook that sets options for the user (use-after-free problem). /mjt --- ppp/pppd/auth.c.orig Mon Jun 23 18:12:04 2003 +++ ppp/pppd/auth.c Sat Jun 5 03:11:36 2004 @@ -1251,14 +1251,14 @@ if (pap_auth_hook) { ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts); if (ret >= 0) { + /* note: set_allowed_addrs() saves opts (but not addrs): don't free it! */ if (ret) set_allowed_addrs(unit, addrs, opts); - BZERO(passwd, sizeof(passwd)); + else if (opts != 0) + free_wordlist(opts); if (addrs != 0) free_wordlist(addrs); - if (opts != 0) { - free_wordlist(opts); - } + BZERO(passwd, sizeof(passwd)); return ret? UPAP_AUTHACK: UPAP_AUTHNAK; } }