ipcp: fix uninitialised memory access when negociating *-DNS-Address

When handling the EV_DNS event, IPCP assumes that the ->dns1 and ->dns2
fields of the event structure are properly set. But that may not be the
case.
If only one of the MS-Primary-DNS-Server or MS-Secondary-DNS-Server
RADIUS attributes was received, then only ->dns1 or ->dns2 is set,
while the other keeps a non initialised value. This uninitialised value
is then copied by ev_dns() and proposed to the peer when negociating
the Primary-DNS-Address or Secondary-DNS-Address IPCP options.
That leaks four bytes of the stack to the network and prevents using
the values found in the [dns] section of accel-ppp.conf as fallback.

Fix this by initialising the whole event structure in rad_proc_attrs().
Then, in ev_dns(), we can check if ->dns1 or ->dns2 is properly set
before copying them. That allows to propery fallback to accel-ppp.conf
values when one of the values was not provided by RADIUS.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>

1 files changed, 1 insertions, 2 deletions

diff --git a/accel-pppd/radius/radius.c b/accel-pppd/radius/radius.c
index 6c3c8ee..5e8196d 100644
--- a/accel-pppd/radius/radius.c
+++ b/accel-pppd/radius/radius.c
@@ -148,14 +148,13 @@ out_err:
 
 int rad_proc_attrs(struct rad_req_t *req)
 {
+	struct ev_dns_t dns = {};
 	struct rad_attr_t *attr;
 	struct ipv6db_addr_t *a;
-	struct ev_dns_t dns;
 	struct ev_wins_t wins;
 	int res = 0;
 	struct radius_pd_t *rpd = req->rpd;
 
-	dns.ses = NULL;
 	wins.ses = NULL;
 	req->rpd->acct_interim_interval = conf_acct_interim_interval;