Don't double free memory on response to ping

author Alan T. DeKok <aland@freeradius.org>

Thu, 5 Mar 2009 14:55:26 +0000 (15:55 +0100)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 5 Mar 2009 14:55:26 +0000 (15:55 +0100)
author Alan T. DeKok <aland@freeradius.org>
Thu, 5 Mar 2009 14:55:26 +0000 (15:55 +0100)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 5 Mar 2009 14:55:26 +0000 (15:55 +0100)
diff --git a/src/main/event.c b/src/main/event.c

index f7b7027..09dba75 100644 (file)
--- a/src/main/event.c
+++ b/src/main/event.c
@@ -653,6 +653,12 @@ static void received_response_to_ping(REQUEST *request)
  
         rad_assert(request->home_server != NULL);
  
+       if (rad_verify(request->proxy_reply, request->proxy,
+                      request->home_server->secret) != 0) {
+               DEBUG("Ignoring spoofed proxy reply.  Signature is invalid");
+               return;
+       }
+               
         home = request->home_server;
         home->num_received_pings++;
  
@@ -665,7 +671,6 @@ static void received_response_to_ping(REQUEST *request)
         fr_event_delete(el, &request->ev);
         remove_from_proxy_hash(request);
         rad_assert(request->in_request_hash == FALSE);
-       request_free(&request);
  
         /*
          *      The control socket may have marked the home server as
@@ -2979,6 +2984,8 @@ REQUEST *received_proxy_response(RADIUS_PACKET *packet)
          */
         if (!request->packet) {
                 received_response_to_ping(request);
+               request->proxy_reply = NULL; /* caller will free it */
+               request_free(&request);
                 return NULL;
         }
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 5 Mar 2009 14:55:26 +0000 (15:55 +0100)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 5 Mar 2009 14:55:26 +0000 (15:55 +0100)