aboutsummaryrefslogtreecommitdiffstats
path: root/src/radius
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-02-28 18:52:08 (GMT)
committerJouni Malinen <j@w1.fi>2015-02-28 18:52:08 (GMT)
commit70fd8287eb3b1a62c6a7e78db511f1cc9ba43836 (patch)
tree72a65f9d547c04be70ac2dedbc601e5b9c251e97 /src/radius
parentdcd378ed2e46f6716d0c06cb9ef6e9e6cbb4da5b (diff)
downloadhostap-70fd8287eb3b1a62c6a7e78db511f1cc9ba43836.zip
hostap-70fd8287eb3b1a62c6a7e78db511f1cc9ba43836.tar.gz
hostap-70fd8287eb3b1a62c6a7e78db511f1cc9ba43836.tar.bz2
RADIUS client: Fix previous failover change
Commit 347c55e216f22002246e378097a16ecb24b7c106 ('RADIUS client: Re-try connection if socket is closed on retransmit') added a possibility of executing RADIUS server failover change within radius_client_retransmit() without taking into account that this operation may end up freeing the pending message that is being processed. This could result in use of freed memory. Avoid this by checking whether any pending messages have been removed and if so, do not try to retransmit the potentially freed message. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/radius')
-rw-r--r--src/radius/radius_client.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
index 95f1853..76c76a6 100644
--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
@@ -335,13 +335,18 @@ static int radius_client_retransmit(struct radius_client_data *radius,
struct hostapd_radius_servers *conf = radius->conf;
int s;
struct wpabuf *buf;
+ size_t prev_num_msgs;
if (entry->msg_type == RADIUS_ACCT ||
entry->msg_type == RADIUS_ACCT_INTERIM) {
if (radius->acct_sock < 0)
radius_client_init_acct(radius);
- if (radius->acct_sock < 0 && conf->num_acct_servers > 1)
+ if (radius->acct_sock < 0 && conf->num_acct_servers > 1) {
+ prev_num_msgs = radius->num_msgs;
radius_client_auth_failover(radius);
+ if (prev_num_msgs != radius->num_msgs)
+ return 0;
+ }
s = radius->acct_sock;
if (entry->attempts == 0)
conf->acct_server->requests++;
@@ -352,8 +357,12 @@ static int radius_client_retransmit(struct radius_client_data *radius,
} else {
if (radius->auth_sock < 0)
radius_client_init_auth(radius);
- if (radius->auth_sock < 0 && conf->num_auth_servers > 1)
+ if (radius->auth_sock < 0 && conf->num_auth_servers > 1) {
+ prev_num_msgs = radius->num_msgs;
radius_client_auth_failover(radius);
+ if (prev_num_msgs != radius->num_msgs)
+ return 0;
+ }
s = radius->auth_sock;
if (entry->attempts == 0)
conf->auth_server->requests++;