diff options
| author | Denys Fedoryshchenko <denys.f@collabora.com> | 2026-03-16 18:07:36 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-03-16 18:07:36 +0200 |
| commit | 06f64b19a123d623438b95b5e6da00f4bf4ce9c1 (patch) | |
| tree | 53ac00b0bb46ef3b408c700ab6cdebfd815d62ad | |
| parent | b8f6eafe61ffcf6645a51cc2bc13c93cab4955fe (diff) | |
| parent | e09b9c81d54c326c3eca2267d38d91db0ca93f8a (diff) | |
| download | accel-ppp-06f64b19a123d623438b95b5e6da00f4bf4ce9c1.tar.gz accel-ppp-06f64b19a123d623438b95b5e6da00f4bf4ce9c1.zip | |
Merge pull request #297 from nuclearcat/fixes-radius
Various radius fixes
| -rw-r--r-- | accel-pppd/radius/auth.c | 5 | ||||
| -rw-r--r-- | accel-pppd/radius/packet.c | 22 | ||||
| -rw-r--r-- | accel-pppd/radius/req.c | 4 |
3 files changed, 24 insertions, 7 deletions
diff --git a/accel-pppd/radius/auth.c b/accel-pppd/radius/auth.c index 69f1b2ef..73e7a50c 100644 --- a/accel-pppd/radius/auth.c +++ b/accel-pppd/radius/auth.c @@ -434,7 +434,10 @@ static int rad_auth_mschap_v2_recv(struct rad_req_t *req) if (req->reply->code == CODE_ACCESS_ACCEPT) { ra = rad_packet_find_attr(req->reply, "Microsoft", "MS-CHAP2-Success"); if (!ra) { - log_error("radius:auth:mschap-v2: 'MS-CHAP-Success' not found in radius response\n"); + log_error("radius:auth:mschap-v2: 'MS-CHAP2-Success' not found in radius response\n"); + return -1; + } else if (ra->len < 43) { + log_error("radius:auth:mschap-v2: 'MS-CHAP2-Success' too short (%i)\n", ra->len); return -1; } else memcpy(rpd->auth_ctx->authenticator, ra->val.octets + 3, 40); diff --git a/accel-pppd/radius/packet.c b/accel-pppd/radius/packet.c index aae2c6a1..cfc0bc29 100644 --- a/accel-pppd/radius/packet.c +++ b/accel-pppd/radius/packet.c @@ -167,9 +167,8 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr) if (!pack) return 0; - //ptr = mmap(NULL, REQ_LENGTH_MAX, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0); ptr = mempool_alloc(buf_pool); - if (ptr == MAP_FAILED) { + if (!ptr) { log_emerg("radius:packet: out of memory\n"); goto out_err; } @@ -224,9 +223,17 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr) goto out_err; } if (id == 26) { + if (len < 4) { + log_ppp_warn("radius:packet: vendor attribute too short (%i)\n", len); + goto out_err; + } vendor_id = ntohl(*(uint32_t *)ptr); vendor = rad_dict_find_vendor_id(vendor_id); if (vendor) { + if (len < 4 + vendor->tag + vendor->len) { + log_ppp_warn("radius:packet: vendor %i attribute too short (%i)\n", vendor_id, len); + goto out_err; + } ptr += 4; if (vendor->tag == 2) @@ -285,9 +292,10 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr) attr->val.octets = ptr; break; case ATTR_TYPE_INTEGER: - if (len != da->size) + if (len != da->size) { log_ppp_warn("radius:packet: attribute %s has invalid length %i (must be %i)\n", da->name, len, da->size); - case ATTR_TYPE_DATE: + break; + } if (len == 4) attr->val.integer = ntohl(*(uint32_t*)ptr); else if (len == 2) @@ -295,6 +303,12 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr) else if (len == 1) attr->val.integer = *ptr; break; + case ATTR_TYPE_DATE: + if (len == 4) + attr->val.integer = ntohl(*(uint32_t*)ptr); + else + log_ppp_warn("radius:packet: attribute %s has invalid length %i (must be 4)\n", da->name, len); + break; case ATTR_TYPE_IPADDR: case ATTR_TYPE_IFID: case ATTR_TYPE_IPV6ADDR: diff --git a/accel-pppd/radius/req.c b/accel-pppd/radius/req.c index 20984982..d2051078 100644 --- a/accel-pppd/radius/req.c +++ b/accel-pppd/radius/req.c @@ -78,9 +78,9 @@ static struct rad_req_t *__rad_req_alloc(struct radius_pd_t *rpd, int code, cons if (code == CODE_ACCESS_REQUEST && conf_blast_protection) { uint8_t buf[HMAC_MD5_LEN] = {0}; req->pack->message_authenticator = 1; - req->pack->secret = (uint8_t *)strdup(req->serv->secret); + req->pack->secret = (uint8_t *)_strdup(req->serv->secret); if (rad_packet_add_octets(req->pack, NULL, "Message-Authenticator", buf, HMAC_MD5_LEN)) { - free(req->pack->secret); + _free(req->pack->secret); req->pack->secret = NULL; goto out_err; } |
