freeradius-sql_injection.patch

   1 ===================================================================
   2 RCS file: /web/pages/us.freeradius.org/cvs/radiusd/src/modules/rlm_sql/rlm_sql.c,v
   3 retrieving revision 1.131.2.1
   4 retrieving revision 1.131.2.3
   5 diff -u -p -r1.131.2.1 -r1.131.2.3
   6 --- radiusd/src/modules/rlm_sql/rlm_sql.c       2004/09/30 14:54:22     1.131.2.1
   7 +++ radiusd/src/modules/rlm_sql/rlm_sql.c       2005/05/18 13:22:18     1.131.2.3
   8 @@ -2,7 +2,7 @@
   9   * rlm_sql.c           SQL Module
  10   *             Main SQL module file. Most ICRADIUS code is located in sql.c
  11   *
  12 - * Version:    $Id$
  13 + * Version:    $Id$
  14   *
  15   *   This program is free software; you can redistribute it and/or modify
  16   *   it under the terms of the GNU General Public License as published by
  17 @@ -24,7 +24,7 @@
  18   */
  19
  20  static const char rcsid[] =
  21 -       "$Id$";
  22 +       "$Id$";
  23
  24  #include "autoconf.h"
  25
  26 @@ -158,6 +158,7 @@ static int rlm_sql_init(void) {
  27   */
  28  static int sql_set_user(SQL_INST *inst, REQUEST *request, char *sqlusername, const char *username);
  29  static int generate_sql_clients(SQL_INST *inst);
  30 +static int sql_escape_func(char *out, int outlen, const char *in);
  31
  32  /*
  33   *     sql xlat function. Right now only SELECTs are supported. Only
  34 @@ -184,7 +185,7 @@ static int sql_xlat(void *instance, REQU
  35         /*
  36          * Do an xlat on the provided string (nice recursive operation).
  37          */
  38 -       if (!radius_xlat(querystr, sizeof(querystr), fmt, request, func)) {
  39 +       if (!radius_xlat(querystr, sizeof(querystr), fmt, request, sql_escape_func)) {
  40                 radlog(L_ERR, "rlm_sql (%s): xlat failed.",
  41                        inst->config->xlat_name);
  42                 return 0;
  43 @@ -409,18 +410,18 @@ static int sql_escape_func(char *out, in
  44
  45         while (in[0]) {
  46                 /*
  47 -                *  Only one byte left.
  48 -                */
  49 -               if (outlen <= 1) {
  50 -                       break;
  51 -               }
  52 -
  53 -               /*
  54                  *      Non-printable characters get replaced with their
  55                  *      mime-encoded equivalents.
  56                  */
  57                 if ((in[0] < 32) ||
  58                     strchr(allowed_chars, *in) == NULL) {
  59 +                       /*
  60 +                        *      Only 3 or less bytes available.
  61 +                        */
  62 +                       if (outlen <= 3) {
  63 +                               break;
  64 +                       }
  65 +
  66                         snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
  67                         in++;
  68                         out += 3;
  69 @@ -430,7 +431,14 @@ static int sql_escape_func(char *out, in
  70                 }
  71
  72                 /*
  73 -                *      Else it's a nice character.
  74 +                *      Only one byte left.
  75 +                */
  76 +               if (outlen <= 1) {
  77 +                       break;
  78 +               }
  79 +
  80 +               /*
  81 +                *      Allowed character.
  82                  */
  83                 *out = *in;
  84                 out++;
  85 @@ -517,7 +525,7 @@ static int sql_groupcmp(void *instance,
  86          */
  87         if (sql_set_user(inst, req, sqlusername, 0) < 0)
  88                 return 1;
  89 -       if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, NULL)){
  90 +       if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, req, sql_escape_func)){
  91                 radlog(L_ERR, "rlm_sql (%s): xlat failed.",
  92                        inst->config->xlat_name);
  93                 /* Remove the username we (maybe) added above */
  94 @@ -1149,7 +1157,7 @@ static int rlm_sql_checksimul(void *inst
  95         if(sql_set_user(inst, request, sqlusername, 0) <0)
  96                 return RLM_MODULE_FAIL;
  97
  98 -       radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, NULL);
  99 +       radius_xlat(querystr, sizeof(querystr), inst->config->simul_count_query, request, sql_escape_func);
 100
 101         /* initialize the sql socket */
 102         sqlsocket = sql_get_socket(inst);
 103 @@ -1193,7 +1201,7 @@ static int rlm_sql_checksimul(void *inst
 104                 return RLM_MODULE_OK;
 105         }
 106
 107 -       radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, NULL);
 108 +       radius_xlat(querystr, sizeof(querystr), inst->config->simul_verify_query, request, sql_escape_func);
 109         if(rlm_sql_select_query(sqlsocket, inst, querystr)) {
 110                 radlog(L_ERR, "rlm_sql (%s): sql_checksimul: Database query error", inst->config->xlat_name);
 111                 sql_release_socket(inst, sqlsocket);