radiusd(8) bsdauth crashes if user authenticates with a mechanism ":style" and group checking on

Dennis Lindroos Fri, 13 Dec 2019 12:40:00 -0800

Hi guys,

Discovered this SEGV when trying out radiusd with bsdauth and an
alternative user auth mechanism, when group checking is enabled.


If the user argument has the ":style" suffix attached to it then
getpwnam(user) will return a NULL pointer.
I tried just using strsep(3) to strip off the auth style and it works for
me (this is probably not the safest bit of coding but i'm sure you figure
out).

--- usr.sbin/radiusd/radiusd_bsdauth.c.orig     Fri Dec 13 22:13:13 2019
+++ usr.sbin/radiusd/radiusd_bsdauth.c  Fri Dec 13 22:12:29 2019
@@ -164,7 +164,7 @@
                        case IMSG_BSDAUTH_GROUPCHECK:
                            {
                                int              i;
-                               char            *user, *group;
+                               char            *user, *group, *tmp;
                                struct passwd   *pw;
                                struct group     gr0, *gr;
                                char             g_buf[4096];
@@ -189,6 +189,8 @@
                                group = user + args->userlen;
                                group[args->grouplen - 1] = '\0';
+                               tmp = user;
+                               user = strsep(&tmp, ":");
                                pw = getpwnam(user);
                                if (getgrnam_r(group, &gr0, g_buf,
                                    sizeof(g_buf), &gr) == -1 || gr == NULL)


BR,
Dennis.

radiusd(8) bsdauth crashes if user authenticates with a mechanism ":style" and group checking on

Reply via email to