accel-ppp / Patches / #6 Multiple bugs in 1.7.3

#6 Multiple bugs in 1.7.3

Status: open-accepted

Owner: nobody

Labels: None

Priority: 5

Updated: 2012-12-25

Created: 2012-12-25

Creator: drdaeman

Private: No

1. Wrong pointer is passed to rad_packet_find_attr in accel-pppd/radius/dm_coa.c:coa_request.

2. Server may crash due to NULL pointer dereference if all RADIUS servers are down. This happens in accel-pppd/radius/acct.c:rad_acct_interim_update after __rad_req_send, as it may internally fire EV_PPP_FINISHING, thus calling rad_acct_stop, which frees rpd->acct_req.

3. On little-endian machines an incorrect LCP Magic-Number is logged when sending LCP echo replies (accel-pppd/ppp/ppp_lcp.c:send_echo_reply). This is purely a cosmetic defect.

Three patches are attached.

Thanks.

Discussion

drdaeman - 2012-12-25

Pass proper pointer to rad_packet_find_attr

0001-Pass-proper-pointer-to-rad_packet_find_attr.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

drdaeman - 2012-12-25

Ahem. My bad, only one patch got uploaded and SF does not allow me to add attachments anymore.

I've uploaded them at http://rghost.ru/42511158

Sorry for the inconvenience.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

drdaeman - 2012-12-25

Do not segfault on RADIUS failures during interim

0002-Do-not-segfault-on-RADIUS-failures-during-interim-ac.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

drdaeman - 2012-12-25

Proper logging of LCP Magic-Numbers

0003-Proper-logging-of-LCP-Magic-Numbers.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

xeb - 2012-12-25

Applied, thanks.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

xeb - 2012-12-25

status: open --> closed-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

drdaeman - 2012-12-25

Sorry for being persistent, but as you had reverted one commit, it seems that the patch that replaced rpd->dm_coa_req with rpd->dm_coa_req->pack was wrong for some reason. However, I don't get how it works, as you're passing a struct rad_dm_coa_req_t * in place of struct rad_packet_t*.

Could you explain it a bit, please?

Thanks.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

drdaeman - 2012-12-25

status: closed-accepted --> open-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

xeb - 2012-12-26

struct radius_pd_t
{
...
struct rad_packet_t *dm_coa_req;
...
};

there is no struct rad_dm_coa_req_t *
it is struct rad_packet_t*.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: