On Tue, 9 Sep 2003, Alan DeKok wrote:
> Date: Tue, 09 Sep 2003 14:19:49 -0400
> From: Alan DeKok <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Minor (but crashing) bug in rlm_mschap
>
> Peter Stamfest <[EMAIL PROTECTED]> wrote:
> > With freeradius-0.9.1 radiusd constantly crashed (using radiusd -X) when
> > doing MSCHAP. I tracked the problem to the code that generates the
> > SMB-Account-CTRL value from SMB-Account-CTRL-TEXT if SMB-Account-CTRL was
> > missing (BTW: I am using LDAP to store data). The integer value for
> > SMB-Account-CTRL was initialized from an empty string ("") instead of a
> > string representation of an integer (eg. "0"), resulting in a NULL pointer
> > deref later on.
>
> Where? I don't see why any of that code would core dump. Can you
> supply a back trace, with indication as to which pointer was NULL?
The pairmake function returns NULL which gets dereferenced two lines below
(smb_ctrl->lvalue).
The problem surfaces through the return of NULL at line 601 in
pairparsevalue in src/lib/valuepair.c which makes pairmake return NULL in
the case of an integer that does not start with a digit ("" does not start
with a digit).
Here is a backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 18105)]
0x400226f0 in mschap_authenticate (instance=0x80fb1d0, request=0x8104178)
at rlm_mschap.c:625
625 smb_ctrl->lvalue =
pdb_decode_acct_ctrl(password->strvalue);
(gdb) bt
#0 0x400226f0 in mschap_authenticate (instance=0x80fb1d0, request=0x8104178)
at rlm_mschap.c:625
#1 0x08054cb5 in module_post_auth ()
#2 0x08054e16 in modcall ()
#3 0x08054cff in module_post_auth ()
#4 0x08054dd1 in modcall ()
#5 0x08054a5b in module_authenticate ()
#6 0x08051d83 in rad_check_password ()
#7 0x08052043 in rad_authenticate ()
#8 0x0804d475 in rad_respond ()
#9 0x0804d0ec in rad_process ()
#10 0x0804ce32 in main ()
#11 0x400c21c4 in __libc_start_main () from /lib/libc.so.6
(gdb) print smb_ctrl
$1 = (VALUE_PAIR *) 0x0
peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
