Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
radsecproxy-1.6.4
-
None
-
None
Description
radmsg_getalltype() copies attributes using list_push() which creates a new list_node and sets its data member to point at 'data'.
radmsg_copy_attrs() gets a list from radmsg_getalltype() and calls radmsg_add() for all its entries, copying them to 'dst'.
radmsg_add() uses list_push() to copy, leaving us with a new list pointing to the same data as what's pointed at from the original rq->msg in respond().
This should result in double freeing or accessing freed memory, depending on what's happening first of freeing of the incoming message or freeing the generated response.
radmsg_copy_attrs() gets a list from radmsg_getalltype() and calls radmsg_add() for all its entries, copying them to 'dst'.
radmsg_add() uses list_push() to copy, leaving us with a new list pointing to the same data as what's pointed at from the original rq->msg in respond().
This should result in double freeing or accessing freed memory, depending on what's happening first of freeing of the incoming message or freeing the generated response.