rpms/ppp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

pppd: fix possible null pointer dereferencing

Browse Source 
We shouldn't call strcmp directly on return value of crypt() because
it might return NULL.

Resolves: #815617
This commit is contained in:
Michal Sekletar 2013-07-04 16:19:23 +02:00
parent 0c288beeb7
commit f2801bcfd9
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
ppp-2.4.5-crypt.patch Normal file
View File

@ -0,0 +1,47 @@
diff -up ppp-2.4.5/pppd/auth.c.crypt ppp-2.4.5/pppd/auth.c
--- ppp-2.4.5/pppd/auth.c.crypt 2013-07-04 16:10:27.338463397 +0200
+++ ppp-2.4.5/pppd/auth.c 2013-07-04 16:15:00.204471203 +0200
@@ -1515,11 +1515,19 @@ check_passwd(unit, auser, userlen, apass
ret = UPAP_AUTHNAK;
}
}
+
if (secret[0] != 0 && !login_secret) {
- /* password given in pap-secrets - must match */
- if ((cryptpap || strcmp(passwd, secret) != 0)
- && strcmp(crypt(passwd, secret), secret) != 0)
- ret = UPAP_AUTHNAK;
+ /* password given in pap-secrets - must match */
+ char *cryptbuf = NULL;
+ cryptbuf = crypt(passwd, secret);
+
+ if (cryptpap) {
+ if ((cryptbuf == NULL) || (strcmp(cryptbuf, secret) != 0))
+ ret = UPAP_AUTHNAK;
+ } else {
+ if ((strcmp(passwd, secret) != 0) && (cryptbuf == NULL || strcmp(cryptbuf, secret) != 0))
+ ret = UPAP_AUTHNAK;
+ }
}
}
fclose(f);
diff -up ppp-2.4.5/pppd/session.c.crypt ppp-2.4.5/pppd/session.c
--- ppp-2.4.5/pppd/session.c.crypt 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5/pppd/session.c 2013-07-04 16:10:27.354463397 +0200
@@ -348,9 +348,14 @@ session_start(flags, user, passwd, ttyNa
/*
* If no passwd, don't let them login if we're authenticating.
*/
- if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2
- || strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd) != 0)
+ if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2) {
return SESSION_FAILED;
+ } else {
+ char *cryptbuf = NULL;
+ cryptbuf = crypt(passwd, pw->pw_passwd);
+ if ((cryptbuf == NULL) || (strcmp(cryptbuf, pw->pw_passwd) != 0))
+ return SESSION_FAILED;
+ }
}
#endif /* #ifdef USE_PAM */

7
ppp.spec
View File

@ -1,7 +1,7 @@
Summary: The Point-to-Point Protocol daemon Summary: The Point-to-Point Protocol daemon
Name: ppp Name: ppp
Version: 2.4.5 Version: 2.4.5
Release: 30%{?dist} Release: 31%{?dist}
License: BSD and LGPLv2+ and GPLv2+ and Public Domain License: BSD and LGPLv2+ and GPLv2+ and Public Domain
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://www.samba.org/ppp URL: http://www.samba.org/ppp
@ -34,6 +34,7 @@ Patch30: ppp-2.4.5-eth.patch
Patch31: ppp-2.4.5-lock.patch Patch31: ppp-2.4.5-lock.patch
Patch32: ppp-2.4.5-l2tp-multilink.patch Patch32: ppp-2.4.5-l2tp-multilink.patch
Patch33: ppp-2.4.5-radius-config.patch Patch33: ppp-2.4.5-radius-config.patch
Patch34: ppp-2.4.5-crypt.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: pam-devel, libpcap-devel, openssl-devel BuildRequires: pam-devel, libpcap-devel, openssl-devel
@ -86,6 +87,7 @@ This package contains the header files for building plugins for ppp.
%patch31 -p1 -b .lock %patch31 -p1 -b .lock
%patch32 -p1 -b .l2tp-multilink %patch32 -p1 -b .l2tp-multilink
%patch33 -p1 -b .radius %patch33 -p1 -b .radius
%patch34 -p1 -b .crypt
rm -f scripts/*.local rm -f scripts/*.local
rm -f scripts/*.change_resolv_conf rm -f scripts/*.change_resolv_conf
@ -163,6 +165,9 @@ getent group dip >/dev/null 2>&1 || groupadd -r -g 40 dip >/dev/null 2>&1 || :
%doc PLUGINS %doc PLUGINS
%changelog %changelog
* Thu Jul 04 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-31
- fix possible NULL pointer dereferencing
* Wed May 29 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30 * Wed May 29 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-30
- make radius plugin config parser less strict - make radius plugin config parser less strict
- resolves : #906913 - resolves : #906913