summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Fedoryshchenko <denys.f@collabora.com>2026-03-16 18:07:36 +0200
committerGitHub <noreply@github.com>2026-03-16 18:07:36 +0200
commit06f64b19a123d623438b95b5e6da00f4bf4ce9c1 (patch)
tree53ac00b0bb46ef3b408c700ab6cdebfd815d62ad
parentb8f6eafe61ffcf6645a51cc2bc13c93cab4955fe (diff)
parente09b9c81d54c326c3eca2267d38d91db0ca93f8a (diff)
downloadaccel-ppp-06f64b19a123d623438b95b5e6da00f4bf4ce9c1.tar.gz
accel-ppp-06f64b19a123d623438b95b5e6da00f4bf4ce9c1.zip
Merge pull request #297 from nuclearcat/fixes-radius
Various radius fixes
-rw-r--r--accel-pppd/radius/auth.c5
-rw-r--r--accel-pppd/radius/packet.c22
-rw-r--r--accel-pppd/radius/req.c4
3 files changed, 24 insertions, 7 deletions
diff --git a/accel-pppd/radius/auth.c b/accel-pppd/radius/auth.c
index 69f1b2ef..73e7a50c 100644
--- a/accel-pppd/radius/auth.c
+++ b/accel-pppd/radius/auth.c
@@ -434,7 +434,10 @@ static int rad_auth_mschap_v2_recv(struct rad_req_t *req)
if (req->reply->code == CODE_ACCESS_ACCEPT) {
ra = rad_packet_find_attr(req->reply, "Microsoft", "MS-CHAP2-Success");
if (!ra) {
- log_error("radius:auth:mschap-v2: 'MS-CHAP-Success' not found in radius response\n");
+ log_error("radius:auth:mschap-v2: 'MS-CHAP2-Success' not found in radius response\n");
+ return -1;
+ } else if (ra->len < 43) {
+ log_error("radius:auth:mschap-v2: 'MS-CHAP2-Success' too short (%i)\n", ra->len);
return -1;
} else
memcpy(rpd->auth_ctx->authenticator, ra->val.octets + 3, 40);
diff --git a/accel-pppd/radius/packet.c b/accel-pppd/radius/packet.c
index aae2c6a1..cfc0bc29 100644
--- a/accel-pppd/radius/packet.c
+++ b/accel-pppd/radius/packet.c
@@ -167,9 +167,8 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr)
if (!pack)
return 0;
- //ptr = mmap(NULL, REQ_LENGTH_MAX, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
ptr = mempool_alloc(buf_pool);
- if (ptr == MAP_FAILED) {
+ if (!ptr) {
log_emerg("radius:packet: out of memory\n");
goto out_err;
}
@@ -224,9 +223,17 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr)
goto out_err;
}
if (id == 26) {
+ if (len < 4) {
+ log_ppp_warn("radius:packet: vendor attribute too short (%i)\n", len);
+ goto out_err;
+ }
vendor_id = ntohl(*(uint32_t *)ptr);
vendor = rad_dict_find_vendor_id(vendor_id);
if (vendor) {
+ if (len < 4 + vendor->tag + vendor->len) {
+ log_ppp_warn("radius:packet: vendor %i attribute too short (%i)\n", vendor_id, len);
+ goto out_err;
+ }
ptr += 4;
if (vendor->tag == 2)
@@ -285,9 +292,10 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr)
attr->val.octets = ptr;
break;
case ATTR_TYPE_INTEGER:
- if (len != da->size)
+ if (len != da->size) {
log_ppp_warn("radius:packet: attribute %s has invalid length %i (must be %i)\n", da->name, len, da->size);
- case ATTR_TYPE_DATE:
+ break;
+ }
if (len == 4)
attr->val.integer = ntohl(*(uint32_t*)ptr);
else if (len == 2)
@@ -295,6 +303,12 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr)
else if (len == 1)
attr->val.integer = *ptr;
break;
+ case ATTR_TYPE_DATE:
+ if (len == 4)
+ attr->val.integer = ntohl(*(uint32_t*)ptr);
+ else
+ log_ppp_warn("radius:packet: attribute %s has invalid length %i (must be 4)\n", da->name, len);
+ break;
case ATTR_TYPE_IPADDR:
case ATTR_TYPE_IFID:
case ATTR_TYPE_IPV6ADDR:
diff --git a/accel-pppd/radius/req.c b/accel-pppd/radius/req.c
index 20984982..d2051078 100644
--- a/accel-pppd/radius/req.c
+++ b/accel-pppd/radius/req.c
@@ -78,9 +78,9 @@ static struct rad_req_t *__rad_req_alloc(struct radius_pd_t *rpd, int code, cons
if (code == CODE_ACCESS_REQUEST && conf_blast_protection) {
uint8_t buf[HMAC_MD5_LEN] = {0};
req->pack->message_authenticator = 1;
- req->pack->secret = (uint8_t *)strdup(req->serv->secret);
+ req->pack->secret = (uint8_t *)_strdup(req->serv->secret);
if (rad_packet_add_octets(req->pack, NULL, "Message-Authenticator", buf, HMAC_MD5_LEN)) {
- free(req->pack->secret);
+ _free(req->pack->secret);
req->pack->secret = NULL;
goto out_err;
}