summaryrefslogtreecommitdiffstats
path: root/obsolete-buildroot/sources/openwrt/patches/ppp/auth_hook_segfault
blob: 59007efafd1243d1472a64e78f1b40c64d7997f0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
To: md@linux.it, mjt@corpit.ru
Subject: pppd-auth-hook.patch
Message-Id: <20040604231517.3E9AD11DC4@paltus.tls.msk.ru>
Date: Sat,  5 Jun 2004 03:15:17 +0400 (MSD)
From: mjt@corpit.ru (Michael Tokarev)

The patch below fixes pppd segfault when using auth_hook that sets
options for the user (use-after-free problem).

/mjt

--- ppp/pppd/auth.c.orig	Mon Jun 23 18:12:04 2003
+++ ppp/pppd/auth.c	Sat Jun  5 03:11:36 2004
@@ -1251,14 +1251,14 @@
     if (pap_auth_hook) {
 	ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts);
 	if (ret >= 0) {
+	    /* note: set_allowed_addrs() saves opts (but not addrs): don't free it! */
 	    if (ret)
 		set_allowed_addrs(unit, addrs, opts);
-	    BZERO(passwd, sizeof(passwd));
+	    else if (opts != 0)
+		free_wordlist(opts);
 	    if (addrs != 0)
 		free_wordlist(addrs);
-	    if (opts != 0) {
-		free_wordlist(opts);
-	    }
+	    BZERO(passwd, sizeof(passwd));
 	    return ret? UPAP_AUTHACK: UPAP_AUTHNAK;
 	}
     }