summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--AUTHORS1
-rw-r--r--ChangeLog6
-rw-r--r--Makefile.am2
-rw-r--r--dtls.c4
-rw-r--r--hash.c4
-rw-r--r--radsecproxy.c10
-rw-r--r--radsecproxy.conf.5.xml4
-rw-r--r--tcp.c4
-rw-r--r--tls.c4
9 files changed, 33 insertions, 6 deletions
diff --git a/AUTHORS b/AUTHORS
index de1e005..0e0436a 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -22,4 +22,5 @@ Ralf Paffrath
Simon Leinen
Simon Lundström
Stefan Winter
+Stephen Röttger
Stig Venaas
diff --git a/ChangeLog b/ChangeLog
index 62bcc1a..22ad09b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
Changes between 1.6.5 and the master branch
+ Bug fixes (security):
+ - Fix two use-after-free, a null pointer dereference and three
+ heap overflows. Patches by Stephen Röttger.
+
Bug fixes:
- Have rewriteIn for servers use the correct config section. We
used to apply rewriteIn using the rewrite block of the client
@@ -6,6 +10,8 @@ Changes between 1.6.5 and the master branch
RADSECPROXY-59.
- Handle CHAP authentication properly when there is no
CHAP-Challenge. Fixes RADSECPROXY-58.
+ - Install radsecproxy.conf.5 unconditionally. Keep regeneration of
+ it dependent on configure finding docbook2x-man(1).
2013-09-06 1.6.5
Bug fixes:
diff --git a/Makefile.am b/Makefile.am
index 3636c3d..0cb8516 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -52,7 +52,7 @@ radsecproxy_LDADD = librsp.a @SSL_LIBS@
radsecproxy_conf_LDFLAGS = @TARGET_LDFLAGS@
-dist_man_MANS = radsecproxy.1 radsecproxy-hash.1 $(GENMANPAGES)
+dist_man_MANS = radsecproxy.1 radsecproxy-hash.1 radsecproxy.conf.5
EXTRA_DIST = \
LICENSE THANKS \
diff --git a/dtls.c b/dtls.c
index 2586b8f..8f8c90a 100644
--- a/dtls.c
+++ b/dtls.c
@@ -235,6 +235,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) {
}
len = RADLEN(buf);
+ if (len < 4) {
+ debug(DBG_ERR, "raddtlsget: length too small");
+ continue;
+ }
rad = malloc(len);
if (!rad) {
debug(DBG_ERR, "raddtlsget: malloc failed");
diff --git a/hash.c b/hash.c
index ab17433..19d6c18 100644
--- a/hash.c
+++ b/hash.c
@@ -87,6 +87,7 @@ void *hash_read(struct hash *h, void *key, uint32_t keylen) {
void *hash_extract(struct hash *h, void *key, uint32_t keylen) {
struct list_node *ln;
struct hash_entry *e;
+ void *data;
if (!h)
return 0;
@@ -96,9 +97,10 @@ void *hash_extract(struct hash *h, void *key, uint32_t keylen) {
if (e->keylen == keylen && !memcmp(e->key, key, keylen)) {
free(e->key);
list_removedata(h->hashlist, e);
+ data = e->data;
free(e);
pthread_mutex_unlock(&h->mutex);
- return e->data;
+ return data;
}
}
pthread_mutex_unlock(&h->mutex);
diff --git a/radsecproxy.c b/radsecproxy.c
index e098a9a..1590e65 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -777,6 +777,7 @@ int hasdynamicserver(struct list *srvconfs) {
void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *srv) {
struct list_node *entry, *entry2;
struct realm *realm;
+ struct list *srvconfs;
for (entry = list_first(realmlist); entry;) {
realm = newrealmref((struct realm *)entry->data);
@@ -784,16 +785,18 @@ void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *s
entry = list_next(entry);
if (realm->srvconfs) {
+ srvconfs = realm->srvconfs;
for (entry2 = list_first(realm->srvconfs); entry2; entry2 = list_next(entry2))
if (entry2->data == srv)
freerealm(realm);
- list_removedata(realm->srvconfs, srv);
+ list_removedata(srvconfs, srv);
}
if (realm->accsrvconfs) {
+ srvconfs = realm->accsrvconfs;
for (entry2 = list_first(realm->accsrvconfs); entry2; entry2 = list_next(entry2))
if (entry2->data == srv)
freerealm(realm);
- list_removedata(realm->accsrvconfs, srv);
+ list_removedata(srvconfs, srv);
}
/* remove subrealm if no dynamic servers left */
@@ -1157,6 +1160,9 @@ void addttlattr(struct radmsg *msg, uint32_t *attrtype, uint8_t addttl) {
int decttl(uint8_t l, uint8_t *v) {
int i;
+ if (l == 0)
+ return 0;
+
i = l - 1;
if (v[i]) {
if (--v[i--])
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 0c713ea..897205b 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -1015,8 +1015,8 @@ blocktype name {
<citerefentry>
<refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
- <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec">
- <citetitle>RadSec internet draft</citetitle>
+ <ulink url="https://tools.ietf.org/html/rfc6614">
+ <citetitle>Transport Layer Security (TLS) Encryption for RADIUS</citetitle>
</ulink>
</para>
</refsect1>
diff --git a/tcp.c b/tcp.c
index 0ad574c..a2f8e7c 100644
--- a/tcp.c
+++ b/tcp.c
@@ -169,6 +169,10 @@ unsigned char *radtcpget(int s, int timeout) {
}
len = RADLEN(buf);
+ if (len < 4) {
+ debug(DBG_ERR, "radtcpget: length too small");
+ continue;
+ }
rad = malloc(len);
if (!rad) {
debug(DBG_ERR, "radtcpget: malloc failed");
diff --git a/tls.c b/tls.c
index d376e73..d33fc1b 100644
--- a/tls.c
+++ b/tls.c
@@ -216,6 +216,10 @@ unsigned char *radtlsget(SSL *ssl, int timeout) {
}
len = RADLEN(buf);
+ if (len < 4) {
+ debug(DBG_ERR, "radtlsget: length too small");
+ continue;
+ }
rad = malloc(len);
if (!rad) {
debug(DBG_ERR, "radtlsget: malloc failed");