system/5236: login_radius: raddauth.c: local array _pwstate[] referenced after raddauth() returns

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

system/5236: login_radius: raddauth.c: local array _pwstate[] referenced after raddauth() returns

Stefan Krah
>Number:         5236
>Category:       system
>Synopsis:       login_radius: raddauth.c: local array _pwstate[] referenced after function returns
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 12 12:00:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Stefan Krah
>Release:        OPENBSD_3_9_BASE
>Organization:
net
>Environment:
        <machine, os, target, libraries (multiple lines)>
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:

If an error occurs in raddauth(), the pointer *emsg is supposed to point to
an error string after raddauth() returns. In some cases, this error string
is written into the local array _pwstate[1024].


>How-To-Repeat:

[before the fix]
# /usr/libexec/auth/login_radius -d foo bar

reject


[after the fix]
# /usr/libexec/auth/login_radius -d foo bar
bar: no such class
reject


>Fix:

One possible way, maybe ugly:


================================================================
--- raddauth.c  Tue Sep 12 12:40:46 2006
+++ raddauth-new.c      Tue Sep 12 12:39:10 2006
@@ -112,6 +112,7 @@

 char *radius_dir = RADIUS_DIR;
 char auth_secret[MAXSECRETLEN+1];
+char _pwstate[1024];
 volatile sig_atomic_t timedout;
 int alt_retries;
 int retries;
@@ -147,7 +148,7 @@
        u_char req_id;
        char *userstyle, *passwd, *pwstate;
        int auth_port;
-       char vector[AUTH_VECTOR_LEN+1], _pwstate[1024], *p, *v;
+       char vector[AUTH_VECTOR_LEN+1], *p, *v;
        int i;
        login_cap_t *lc;
        u_int32_t r;
@@ -192,7 +193,7 @@
        if (passwd == NULL)
                passwd = "";

-       if ((v = login_getcapstr(lc, "radius-server", NULL, NULL)) == NULL){
+       if ((v = login_getcapstr(lc, "radius-server", NULL, NULL)) == NULL) {
                *emsg = "radius-server not configured";
                return (1);
        }

================================================================


>Release-Note:
>Audit-Trail:
>Unformatted: