pppd: fix possible null pointer dereferencing

We shouldn't call strcmp directly on return value of crypt() because it might return NULL. Resolves: #815617
2013-07-04 16:19:23 +02:00 · 2013-07-04 16:19:23 +02:00 · f2801bcfd9
commit f2801bcfd9
parent 0c288beeb7
2 changed files with 53 additions and 1 deletions
--- a/ppp-2.4.5-crypt.patch
+++ b/ppp-2.4.5-crypt.patch
@ -0,0 +1,47 @@
+diff -up ppp-2.4.5/pppd/auth.c.crypt ppp-2.4.5/pppd/auth.c
+--- ppp-2.4.5/pppd/auth.c.crypt	2013-07-04 16:10:27.338463397 +0200
+++ ppp-2.4.5/pppd/auth.c	2013-07-04 16:15:00.204471203 +0200
+@@ -1515,11 +1515,19 @@ check_passwd(unit, auser, userlen, apass
+ 		    ret = UPAP_AUTHNAK;
+ 		}
+ 	    }
+
+ 	    if (secret[0] != 0 && !login_secret) {
+-		/* password given in pap-secrets - must match */
+-		if ((cryptpap || strcmp(passwd, secret) != 0)
+-		    && strcmp(crypt(passwd, secret), secret) != 0)
+-		    ret = UPAP_AUTHNAK;
+		    /* password given in pap-secrets - must match */
+		    char *cryptbuf = NULL;
+		    cryptbuf = crypt(passwd, secret);
+
+		    if (cryptpap) {
+			    if ((cryptbuf == NULL) || (strcmp(cryptbuf, secret) != 0))
+				    ret = UPAP_AUTHNAK;
+		    } else {
+			    if ((strcmp(passwd, secret) != 0) && (cryptbuf == NULL || strcmp(cryptbuf, secret) != 0))
+				    ret = UPAP_AUTHNAK;
+		    }
+ 	    }
+ 	}
+ 	fclose(f);
+diff -up ppp-2.4.5/pppd/session.c.crypt ppp-2.4.5/pppd/session.c
+--- ppp-2.4.5/pppd/session.c.crypt	2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5/pppd/session.c	2013-07-04 16:10:27.354463397 +0200
+@@ -348,9 +348,14 @@ session_start(flags, user, passwd, ttyNa
+ 	/*
+ 	 * If no passwd, don't let them login if we're authenticating.
+ 	 */
+-        if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2
+-            || strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd) != 0)
+        if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2) {
+             return SESSION_FAILED;
+        } else {
+            char *cryptbuf = NULL;
+            cryptbuf = crypt(passwd, pw->pw_passwd);
+            if ((cryptbuf == NULL) || (strcmp(cryptbuf, pw->pw_passwd) != 0))
+                return SESSION_FAILED;
+        }
+     }
+ 
+ #endif /* #ifdef USE_PAM */
--- a/ppp.spec
+++ b/ppp.spec
@ -1,7 +1,7 @@
 Summary: The Point-to-Point Protocol daemon
 Name: ppp
 Version: 2.4.5
-Release: 30%{?dist}
+Release: 31%{?dist}
 License: BSD and LGPLv2+ and GPLv2+ and Public Domain
 Group: System Environment/Daemons
 URL: http://www.samba.org/ppp
@ -34,6 +34,7 @@ Patch30: ppp-2.4.5-eth.patch
 Patch31: ppp-2.4.5-lock.patch
 Patch32: ppp-2.4.5-l2tp-multilink.patch
 Patch33: ppp-2.4.5-radius-config.patch
+Patch34: ppp-2.4.5-crypt.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: pam-devel, libpcap-devel, openssl-devel
@ -86,6 +87,7 @@ This package contains the header files for building plugins for ppp.
 %patch31 -p1 -b .lock
 %patch32 -p1 -b .l2tp-multilink
 %patch33 -p1 -b .radius
+%patch34 -p1 -b .crypt

 rm -f scripts/*.local
 rm -f scripts/*.change_resolv_conf
@ -163,6 +165,9 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :
 %doc PLUGINS

 %changelog
+* Thu Jul 04 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-31
+- fix possible NULL pointer dereferencing
+
 * Wed May 29 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30
 - make radius plugin config parser less strict
 - resolves : #906913