Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-17 17:43:06 -05:00
Code Issues Projects Releases Wiki Activity

RADIUS client: Fix previous failover change

Browse Source 
Commit 347c55e216f22002246e378097a16ecb24b7c106 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a possibility of
executing RADIUS server failover change within
radius_client_retransmit() without taking into account that this
operation may end up freeing the pending message that is being
processed. This could result in use of freed memory. Avoid this by
checking whether any pending messages have been removed and if so, do
not try to retransmit the potentially freed message.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-02-28 20:52:08 +02:00
parent dcd378ed2e
commit 70fd8287eb
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/radius/radius_client.c
View File

@ -335,13 +335,18 @@ static int radius_client_retransmit(struct radius_client_data *radius,
struct hostapd_radius_servers *conf = radius->conf;
int s;
struct wpabuf *buf;
size_t prev_num_msgs;
if (entry->msg_type == RADIUS_ACCT ||
entry->msg_type == RADIUS_ACCT_INTERIM) {
if (radius->acct_sock < 0)
radius_client_init_acct(radius);
if (radius->acct_sock < 0 && conf->num_acct_servers > 1)
if (radius->acct_sock < 0 && conf->num_acct_servers > 1) {
prev_num_msgs = radius->num_msgs;
radius_client_auth_failover(radius);
if (prev_num_msgs != radius->num_msgs)
return 0;
}
s = radius->acct_sock;
if (entry->attempts == 0)
conf->acct_server->requests++;
@ -352,8 +357,12 @@ static int radius_client_retransmit(struct radius_client_data *radius,
} else {
if (radius->auth_sock < 0)
radius_client_init_auth(radius);
if (radius->auth_sock < 0 && conf->num_auth_servers > 1)
if (radius->auth_sock < 0 && conf->num_auth_servers > 1) {
prev_num_msgs = radius->num_msgs;
radius_client_auth_failover(radius);
if (prev_num_msgs != radius->num_msgs)
return 0;
}
s = radius->auth_sock;
if (entry->attempts == 0)
conf->auth_server->requests++;