fix possible null pointer dereferences

939e9524 · Vladislav Grishenko · 5ccf2f04 · 939e9524 · 939e9524 · 939e9524
4 changed file
--- a/accel-pppd/ctrl/ipoe/dhcpv4.c
+++ b/accel-pppd/ctrl/ipoe/dhcpv4.c
@@ -1145,7 +1145,7 @@ void dhcpv4_reserve_ip(struct dhcpv4_serv *serv, uint32_t ip)
 struct dhcpv4_packet *dhcpv4_clone_radius(struct rad_packet_t *rad)
 {
 	struct dhcpv4_packet *pkt = dhcpv4_packet_alloc();
-	uint8_t *ptr = pkt->data, *endptr = ptr + BUF_SIZE;
+	uint8_t *ptr, *endptr;
 	struct dhcpv4_option *opt;
 	struct rad_attr_t *attr;

@@ -1153,6 +1153,8 @@ struct dhcpv4_packet *dhcpv4_clone_radius(struct rad_packet_t *rad)
 		return NULL;

 	pkt->refs = 1;
+	ptr = pkt->data;
+	endptr = ptr + BUF_SIZE;

 	list_for_each_entry(attr, &rad->attrs, entry) {
 		if (attr->vendor && attr->vendor->id == VENDOR_DHCP && attr->attr->id < 256) {

--- a/accel-pppd/ctrl/l2tp/l2tp.c
+++ b/accel-pppd/ctrl/l2tp/l2tp.c
@@ -3119,7 +3119,7 @@ static int rescode_get_data(const struct l2tp_attr_t *result_attr,
 		return 2;

 	*err_msg = _malloc(msglen + 1);
-	if (err_msg) {
+	if (*err_msg) {
 		memcpy(*err_msg, resavp->error_msg, msglen);
 		(*err_msg)[msglen] = '\0';
 	}

--- a/accel-pppd/lua/session.c
+++ b/accel-pppd/lua/session.c
@@ -217,11 +217,12 @@ static int session_rx_bytes(lua_State *L)
 {
 	struct ap_session *ses = luaL_checkudata(L, 1, LUA_AP_SESSION);
 	uint64_t gword_sz = (uint64_t)UINT32_MAX + 1;
-	uint64_t bytes = gword_sz*ses->acct_input_gigawords + ses->acct_rx_bytes;
+	uint64_t bytes;

 	if (!ses)
 		return 0;

+	bytes = gword_sz*ses->acct_input_gigawords + ses->acct_rx_bytes;
 	lua_pushnumber(L, bytes);

 	return 1;
@@ -231,11 +232,12 @@ static int session_tx_bytes(lua_State *L)
 {
 	struct ap_session *ses = luaL_checkudata(L, 1, LUA_AP_SESSION);
 	uint64_t gword_sz = (uint64_t)UINT32_MAX + 1;
-	uint64_t bytes = gword_sz*ses->acct_output_gigawords + ses->acct_tx_bytes;
+	uint64_t bytes;

 	if (!ses)
 		return 0;

+	bytes = gword_sz*ses->acct_output_gigawords + ses->acct_tx_bytes;
 	lua_pushnumber(L, bytes);

 	return 1;

--- a/accel-pppd/radius/backup.c
+++ b/accel-pppd/radius/backup.c
@@ -30,8 +30,8 @@
 static int session_save(struct ap_session *ses, struct backup_mod *m)
 {
 	struct radius_pd_t *rpd = find_pd(ses);
-	uint64_t session_timeout = ses->start_time + rpd->session_timeout.expire_tv.tv_sec;
-	uint32_t idle_timeout = rpd->idle_timeout.period / 1000;
+	uint64_t session_timeout;
+	uint32_t idle_timeout;

 	if (!rpd)
 		return 0;
@@ -39,6 +39,9 @@ static int session_save(struct ap_session *ses, struct backup_mod *m)
 	if (!rpd->authenticated)
 		return -2;

+	session_timeout = ses->start_time + rpd->session_timeout.expire_tv.tv_sec;
+	idle_timeout = rpd->idle_timeout.period / 1000;
+
 	add_tag(RAD_TAG_INTERIM_INTERVAL, &rpd->acct_interim_interval, 4);

 	if (rpd->session_timeout.tpd)