diff options
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | dtls.c | 4 | ||||
| -rw-r--r-- | hash.c | 4 | ||||
| -rw-r--r-- | radsecproxy.c | 10 | ||||
| -rw-r--r-- | radsecproxy.conf.5.xml | 4 | ||||
| -rw-r--r-- | tcp.c | 4 | ||||
| -rw-r--r-- | tls.c | 4 |
9 files changed, 33 insertions, 6 deletions
@@ -22,4 +22,5 @@ Ralf Paffrath Simon Leinen Simon Lundström Stefan Winter +Stephen Röttger Stig Venaas @@ -1,4 +1,8 @@ Changes between 1.6.5 and the master branch + Bug fixes (security): + - Fix two use-after-free, a null pointer dereference and three + heap overflows. Patches by Stephen Röttger. + Bug fixes: - Have rewriteIn for servers use the correct config section. We used to apply rewriteIn using the rewrite block of the client @@ -6,6 +10,8 @@ Changes between 1.6.5 and the master branch RADSECPROXY-59. - Handle CHAP authentication properly when there is no CHAP-Challenge. Fixes RADSECPROXY-58. + - Install radsecproxy.conf.5 unconditionally. Keep regeneration of + it dependent on configure finding docbook2x-man(1). 2013-09-06 1.6.5 Bug fixes: diff --git a/Makefile.am b/Makefile.am index 3636c3d..0cb8516 100644 --- a/Makefile.am +++ b/Makefile.am @@ -52,7 +52,7 @@ radsecproxy_LDADD = librsp.a @SSL_LIBS@ radsecproxy_conf_LDFLAGS = @TARGET_LDFLAGS@ -dist_man_MANS = radsecproxy.1 radsecproxy-hash.1 $(GENMANPAGES) +dist_man_MANS = radsecproxy.1 radsecproxy-hash.1 radsecproxy.conf.5 EXTRA_DIST = \ LICENSE THANKS \ @@ -235,6 +235,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) { } len = RADLEN(buf); + if (len < 4) { + debug(DBG_ERR, "raddtlsget: length too small"); + continue; + } rad = malloc(len); if (!rad) { debug(DBG_ERR, "raddtlsget: malloc failed"); @@ -87,6 +87,7 @@ void *hash_read(struct hash *h, void *key, uint32_t keylen) { void *hash_extract(struct hash *h, void *key, uint32_t keylen) { struct list_node *ln; struct hash_entry *e; + void *data; if (!h) return 0; @@ -96,9 +97,10 @@ void *hash_extract(struct hash *h, void *key, uint32_t keylen) { if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { free(e->key); list_removedata(h->hashlist, e); + data = e->data; free(e); pthread_mutex_unlock(&h->mutex); - return e->data; + return data; } } pthread_mutex_unlock(&h->mutex); diff --git a/radsecproxy.c b/radsecproxy.c index e098a9a..1590e65 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -777,6 +777,7 @@ int hasdynamicserver(struct list *srvconfs) { void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *srv) { struct list_node *entry, *entry2; struct realm *realm; + struct list *srvconfs; for (entry = list_first(realmlist); entry;) { realm = newrealmref((struct realm *)entry->data); @@ -784,16 +785,18 @@ void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *s entry = list_next(entry); if (realm->srvconfs) { + srvconfs = realm->srvconfs; for (entry2 = list_first(realm->srvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); - list_removedata(realm->srvconfs, srv); + list_removedata(srvconfs, srv); } if (realm->accsrvconfs) { + srvconfs = realm->accsrvconfs; for (entry2 = list_first(realm->accsrvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); - list_removedata(realm->accsrvconfs, srv); + list_removedata(srvconfs, srv); } /* remove subrealm if no dynamic servers left */ @@ -1157,6 +1160,9 @@ void addttlattr(struct radmsg *msg, uint32_t *attrtype, uint8_t addttl) { int decttl(uint8_t l, uint8_t *v) { int i; + if (l == 0) + return 0; + i = l - 1; if (v[i]) { if (--v[i--]) diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 0c713ea..897205b 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -1015,8 +1015,8 @@ blocktype name { <citerefentry> <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum> </citerefentry>, - <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec"> - <citetitle>RadSec internet draft</citetitle> + <ulink url="https://tools.ietf.org/html/rfc6614"> + <citetitle>Transport Layer Security (TLS) Encryption for RADIUS</citetitle> </ulink> </para> </refsect1> @@ -169,6 +169,10 @@ unsigned char *radtcpget(int s, int timeout) { } len = RADLEN(buf); + if (len < 4) { + debug(DBG_ERR, "radtcpget: length too small"); + continue; + } rad = malloc(len); if (!rad) { debug(DBG_ERR, "radtcpget: malloc failed"); @@ -216,6 +216,10 @@ unsigned char *radtlsget(SSL *ssl, int timeout) { } len = RADLEN(buf); + if (len < 4) { + debug(DBG_ERR, "radtlsget: length too small"); + continue; + } rad = malloc(len); if (!rad) { debug(DBG_ERR, "radtlsget: malloc failed"); |