From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 5 Mar 2009 14:55:26 +0000 (+0100)
Subject: Don't double free memory on response to ping
X-Git-Tag: release_2_1_4~27
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=5f7e79fef34773280fef3346a38e087a58536fb4;p=freeradius.git

Don't double free memory on response to ping
---

diff --git a/src/main/event.c b/src/main/event.c
index f7b7027..09dba75 100644
--- a/src/main/event.c
+++ b/src/main/event.c
@@ -653,6 +653,12 @@ static void received_response_to_ping(REQUEST *request)
 
 	rad_assert(request->home_server != NULL);
 
+	if (rad_verify(request->proxy_reply, request->proxy,
+		       request->home_server->secret) != 0) {
+		DEBUG("Ignoring spoofed proxy reply.  Signature is invalid");
+		return;
+	}
+		
 	home = request->home_server;
 	home->num_received_pings++;
 
@@ -665,7 +671,6 @@ static void received_response_to_ping(REQUEST *request)
 	fr_event_delete(el, &request->ev);
 	remove_from_proxy_hash(request);
 	rad_assert(request->in_request_hash == FALSE);
-	request_free(&request);
 
 	/*
 	 *	The control socket may have marked the home server as
@@ -2979,6 +2984,8 @@ REQUEST *received_proxy_response(RADIUS_PACKET *packet)
 	 */
 	if (!request->packet) {
 		received_response_to_ping(request);
+		request->proxy_reply = NULL; /* caller will free it */
+		request_free(&request);
 		return NULL;
 	}