headers
Daniel O'Connor | 1 May 2006 07:50
Picon

Re: Null pointer deref

On Monday 01 May 2006 12:45, Alan DeKok wrote:
> "Daniel O'Connor" <darius <at> dons.net.au> wrote:
> > The strcmp's around lines 1630 and 1659 can be done on a NULL pointer (eg
> > mainconfig.do_lower_user) which causes a crash.
>
>   I presume you mean in src/main/radiusd.c ?

Whoops, yes, sorry :)

>   I'm curious as to how a NULL pointer got into those entries in the
> "mainconfig" data structure.  The server is set up so that if there's
> no entry for those configs in radiusd.conf, then a default value of
> "no" is used.  See src/main/mainconfig.c.

Yes, I was pretty suprised too :(

>   I've never seen this bug before, so my first guess is that you're
> not running a stock server, and that the changes don't initialize
> those entries.

I built the server from the ports tree in FreeBSD. I also tried the OpenWRT
package (as the end goal is for WPA auth) and it seems to have exactly the
same problem (well, it segfaults with the same config file).

There are a few patches in the FreeBSD port but none affect that code.

I put a watch on mainconfig.do_lower_user and it doesn't get touched..
Hmm.. digs a bit further..
It appears that in read_radius_conf_file conf_read returns NULL so the
cf_section_parse call is never made.
(Continue reading)

Permalink | Reply |
headers
Alan DeKok | 1 May 2006 15:31

Re: Null pointer deref

"Daniel O'Connor" <darius <at> dons.net.au> wrote:
> It appears that in read_radius_conf_file conf_read returns NULL so the
> cf_section_parse call is never made.

  So how did you convince the server to keep running after that?  My
reading of the code indicates that it should exit() if that
conf_read() returns NULL.

  Alan DeKok.
Permalink | Reply |
headers
Daniel O'Connor | 2 May 2006 01:44
Picon

Re: Null pointer deref

On Monday 01 May 2006 23:01, Alan DeKok wrote:
> "Daniel O'Connor" <darius <at> dons.net.au> wrote:
> > It appears that in read_radius_conf_file conf_read returns NULL so the
> > cf_section_parse call is never made.
>
>   So how did you convince the server to keep running after that?  My
> reading of the code indicates that it should exit() if that
> conf_read() returns NULL.

I am not sure :(
Perhaps I am misunderstanding the failure mode.

I've attached my config files if you wish to try and replicate the problem.

I run 'radiusd -X -A' and then test it with..
radtest testuser testpassword localhost 1 password

--

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

DEFAULT Group == "disabled", Auth-Type := Reject
		Reply-Message = "Your account has been disabled."
(Continue reading)

Permalink | Reply |
headers
Alan DeKok | 3 May 2006 01:19

Re: Null pointer deref

"Daniel O'Connor" <darius <at> dons.net.au> wrote:
> I've attached my config files if you wish to try and replicate the problem.

  Even with that, I can't reproduce it, sorry.

  Alan DeKok.
Permalink | Reply |
headers
Daniel O'Connor | 3 May 2006 01:41
Picon

Re: Null pointer deref

On Wednesday 03 May 2006 08:49, Alan DeKok wrote:
> "Daniel O'Connor" <darius <at> dons.net.au> wrote:
> > I've attached my config files if you wish to try and replicate the
> > problem.
>
>   Even with that, I can't reproduce it, sorry.

Huh, weird :(
I see it on both FreeBSD and on OpenWRT..
I don't have any other platforms to try it on :(

--

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

On Wednesday 03 May 2006 08:49, Alan DeKok wrote:
> "Daniel O'Connor" <darius <at> dons.net.au> wrote:
> > I've attached my config files if you wish to try and replicate the
> > problem.
>
>   Even with that, I can't reproduce it, sorry.

Huh, weird :(
I see it on both FreeBSD and on OpenWRT..
I don't have any other platforms to try it on :(
(Continue reading)

Permalink | Reply |

Gmane