diff options
| author | Vladislav Grishenko <themiron@mail.ru> | 2018-03-04 02:29:46 +0500 |
|---|---|---|
| committer | Vladislav Grishenko <themiron@mail.ru> | 2018-03-04 02:41:47 +0500 |
| commit | 939e952452dd856a574a1d78c15181a93a593996 (patch) | |
| tree | 3e6b12fab35b12cda2be553faec05755a598d4da | |
| parent | 5ccf2f0409c18e216c4da5c7cce5e9fcf14ebf54 (diff) | |
| download | accel-ppp-939e952452dd856a574a1d78c15181a93a593996.tar.gz accel-ppp-939e952452dd856a574a1d78c15181a93a593996.zip | |
fix possible null pointer dereferences
| -rw-r--r-- | accel-pppd/ctrl/ipoe/dhcpv4.c | 4 | ||||
| -rw-r--r-- | accel-pppd/ctrl/l2tp/l2tp.c | 2 | ||||
| -rw-r--r-- | accel-pppd/lua/session.c | 6 | ||||
| -rw-r--r-- | accel-pppd/radius/backup.c | 7 |
4 files changed, 13 insertions, 6 deletions
diff --git a/accel-pppd/ctrl/ipoe/dhcpv4.c b/accel-pppd/ctrl/ipoe/dhcpv4.c index dde5060..8a395ea 100644 --- a/accel-pppd/ctrl/ipoe/dhcpv4.c +++ b/accel-pppd/ctrl/ipoe/dhcpv4.c @@ -1145,7 +1145,7 @@ void dhcpv4_reserve_ip(struct dhcpv4_serv *serv, uint32_t ip) struct dhcpv4_packet *dhcpv4_clone_radius(struct rad_packet_t *rad) { struct dhcpv4_packet *pkt = dhcpv4_packet_alloc(); - uint8_t *ptr = pkt->data, *endptr = ptr + BUF_SIZE; + uint8_t *ptr, *endptr; struct dhcpv4_option *opt; struct rad_attr_t *attr; @@ -1153,6 +1153,8 @@ struct dhcpv4_packet *dhcpv4_clone_radius(struct rad_packet_t *rad) return NULL; pkt->refs = 1; + ptr = pkt->data; + endptr = ptr + BUF_SIZE; list_for_each_entry(attr, &rad->attrs, entry) { if (attr->vendor && attr->vendor->id == VENDOR_DHCP && attr->attr->id < 256) { diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c index 55881b8..cbb9de6 100644 --- a/accel-pppd/ctrl/l2tp/l2tp.c +++ b/accel-pppd/ctrl/l2tp/l2tp.c @@ -3119,7 +3119,7 @@ static int rescode_get_data(const struct l2tp_attr_t *result_attr, return 2; *err_msg = _malloc(msglen + 1); - if (err_msg) { + if (*err_msg) { memcpy(*err_msg, resavp->error_msg, msglen); (*err_msg)[msglen] = '\0'; } diff --git a/accel-pppd/lua/session.c b/accel-pppd/lua/session.c index d65a67b..277b299 100644 --- a/accel-pppd/lua/session.c +++ b/accel-pppd/lua/session.c @@ -217,11 +217,12 @@ static int session_rx_bytes(lua_State *L) { struct ap_session *ses = luaL_checkudata(L, 1, LUA_AP_SESSION); uint64_t gword_sz = (uint64_t)UINT32_MAX + 1; - uint64_t bytes = gword_sz*ses->acct_input_gigawords + ses->acct_rx_bytes; + uint64_t bytes; if (!ses) return 0; + bytes = gword_sz*ses->acct_input_gigawords + ses->acct_rx_bytes; lua_pushnumber(L, bytes); return 1; @@ -231,11 +232,12 @@ static int session_tx_bytes(lua_State *L) { struct ap_session *ses = luaL_checkudata(L, 1, LUA_AP_SESSION); uint64_t gword_sz = (uint64_t)UINT32_MAX + 1; - uint64_t bytes = gword_sz*ses->acct_output_gigawords + ses->acct_tx_bytes; + uint64_t bytes; if (!ses) return 0; + bytes = gword_sz*ses->acct_output_gigawords + ses->acct_tx_bytes; lua_pushnumber(L, bytes); return 1; diff --git a/accel-pppd/radius/backup.c b/accel-pppd/radius/backup.c index 93ab3eb..46041d7 100644 --- a/accel-pppd/radius/backup.c +++ b/accel-pppd/radius/backup.c @@ -30,8 +30,8 @@ static int session_save(struct ap_session *ses, struct backup_mod *m) { struct radius_pd_t *rpd = find_pd(ses); - uint64_t session_timeout = ses->start_time + rpd->session_timeout.expire_tv.tv_sec; - uint32_t idle_timeout = rpd->idle_timeout.period / 1000; + uint64_t session_timeout; + uint32_t idle_timeout; if (!rpd) return 0; @@ -39,6 +39,9 @@ static int session_save(struct ap_session *ses, struct backup_mod *m) if (!rpd->authenticated) return -2; + session_timeout = ses->start_time + rpd->session_timeout.expire_tv.tv_sec; + idle_timeout = rpd->idle_timeout.period / 1000; + add_tag(RAD_TAG_INTERIM_INTERVAL, &rpd->acct_interim_interval, 4); if (rpd->session_timeout.tpd) |