rpm-sources/freeradius-rlm_attr_filter-fix.patch

   1 From a23188a41197069a396886b477bd4463ce6c5365 Mon Sep 17 00:00:00 2001
   2 From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
   3 Date: Wed, 12 Mar 2014 21:41:26 +0000
   4 Subject: [PATCH] Compare da not just attribute number (fix clashing vendor and RFC space attributes)
   5
   6 ---
   7  src/modules/rlm_attr_filter/rlm_attr_filter.c | 4 ++--
   8  src/modules/rlm_attr_filter/rlm_attr_filter.c | 43 ++++++++++++++++-----------
   9  2 files changed, 27 insertions(+), 20 deletions(-)
  10
  11 diff --git a/src/modules/rlm_attr_filter/rlm_attr_filter.c b/src/modules/rlm_attr_filter/rlm_attr_filter.c
  12 index e153cd1..1f72d6c 100644
  13 --- a/src/modules/rlm_attr_filter/rlm_attr_filter.c
  14 +++ b/src/modules/rlm_attr_filter/rlm_attr_filter.c
  15 @@ -268,8 +268,8 @@ static rlm_rcode_t attr_filter_common(void *instance, REQUEST *request, RADIUS_P
  16                                         continue;
  17                                 }
  18
  19 -                               if (input_item->da->attr == check_item->da->attr) {
  20 -                                       check_pair(check_item, input_item, &pass, &fail);
  21 +                               if (input_item->da == check_item->da) {
  22 +                                       check_pair(request, check_item, input_item, &pass, &fail);
  23                                 }
  24                         }
  25
  26 diff --git a/src/modules/rlm_attr_filter/rlm_attr_filter.c b/src/modules/rlm_attr_filter/rlm_attr_filter.c
  27 index 1f72d6c..19b5b45 100644
  28 --- a/src/modules/rlm_attr_filter/rlm_attr_filter.c
  29 +++ b/src/modules/rlm_attr_filter/rlm_attr_filter.c
  30 @@ -57,24 +57,34 @@
  31         { NULL, -1, 0, NULL, NULL }
  32  };
  33
  34 -static void check_pair(VALUE_PAIR *check_item, VALUE_PAIR *reply_item,
  35 -                     int *pass, int *fail)
  36 +static void check_pair(REQUEST *request, VALUE_PAIR *check_item, VALUE_PAIR *reply_item, int *pass, int *fail)
  37  {
  38         int compare;
  39
  40         if (check_item->op == T_OP_SET) return;
  41
  42         compare = paircmp(check_item, reply_item);
  43 +       if (compare < 0) {
  44 +               REDEBUG("Comparison failed: %s", fr_strerror());
  45 +       }
  46 +
  47         if (compare == 1) {
  48                 ++*(pass);
  49         } else {
  50                 ++*(fail);
  51         }
  52
  53 +       if (RDEBUG_ENABLED3) {
  54 +               char rule[1024], pair[1024];
  55 +
  56 +               vp_prints(rule, sizeof(rule), check_item);
  57 +               vp_prints(pair, sizeof(pair), reply_item);
  58 +               RDEBUG3("%s %s %s", pair, compare == 1 ? "allowed by" : "disallowed by", rule);
  59 +       }
  60 +
  61         return;
  62  }
  63
  64 -
  65  static int attr_filter_getfile(TALLOC_CTX *ctx, char const *filename, PAIR_LIST **pair_list)
  66  {
  67         vp_cursor_t cursor;
  68 @@ -216,8 +226,7 @@ static rlm_rcode_t attr_filter_common(void *instance, REQUEST *request, RADIUS_P
  69                                 fall_through = 1;
  70                                 continue;
  71                         }
  72 -                       else if (!check_item->da->vendor &&
  73 -                                check_item->da->attr == PW_RELAX_FILTER) {
  74 +                       else if (!check_item->da->vendor && check_item->da->attr == PW_RELAX_FILTER) {
  75                                 relax_filter = check_item->vp_integer;
  76                                 continue;
  77                         }
  78 @@ -247,20 +256,17 @@ static rlm_rcode_t attr_filter_common(void *instance, REQUEST *request, RADIUS_P
  79                 for (input_item = paircursor(&input, &packet->vps);
  80                      input_item;
  81                      input_item = pairnext(&input)) {
  82 -                       /* reset the pass,fail vars for each reply item */
  83 -                       pass = fail = 0;
  84 +                       pass = fail = 0; /* reset the pass,fail vars for each reply item */
  85
  86                         /*
  87 -                        *      reset the check_item pointer to
  88 -                        *      beginning of the list
  89 +                        *  Reset the check_item pointer to beginning of the list
  90                          */
  91                         for (check_item = pairfirst(&check);
  92                              check_item;
  93                              check_item = pairnext(&check)) {
  94                                 /*
  95 -                                *      Vendor-Specific is special, and
  96 -                                *      matches any VSA if the comparison
  97 -                                *      is always true.
  98 +                                *  Vendor-Specific is special, and matches any VSA if the
  99 +                                *  comparison is always true.
 100                                  */
 101                                 if ((check_item->da->attr == PW_VENDOR_SPECIFIC) && (input_item->da->vendor != 0) &&
 102                                     (check_item->op == T_OP_CMP_TRUE)) {
 103 @@ -273,14 +279,15 @@ static rlm_rcode_t attr_filter_common(void *instance, REQUEST *request, RADIUS_P
 104                                 }
 105                         }
 106
 107 +                       RDEBUG3("Attribute \"%s\" allowed by %i rules, disallowed by %i rules",
 108 +                               input_item->da->name, pass, fail);
 109                         /*
 110 -                        *  Only move attribute if it passed all rules,
 111 -                        *  or if the config says we should copy unmatched
 112 -                        *  attributes ('relaxed' mode).
 113 +                        *  Only move attribute if it passed all rules, or if the config says we
 114 +                        *  should copy unmatched attributes ('relaxed' mode).
 115                          */
 116                         if (fail == 0 && (pass > 0 || relax_filter)) {
 117                                 if (!pass) {
 118 -                                       RDEBUG3("Attribute (%s) allowed by relaxed mode", input_item->da->name);
 119 +                                       RDEBUG3("Attribute \"%s\" allowed by relaxed mode", input_item->da->name);
 120                                 }
 121                                 vp = paircopyvp(packet, input_item);
 122                                 if (!vp) {
 123 @@ -355,11 +362,11 @@ static rlm_rcode_t attr_filter_common(void *instance, REQUEST *request, RADIUS_P
 124         mod_instantiate,        /* instantiation */
 125         NULL,                   /* detach */
 126         {
 127 -               NULL,                   /* authentication */
 128 +               NULL,           /* authentication */
 129                 mod_authorize,  /* authorization */
 130                 mod_preacct,    /* pre-acct */
 131                 mod_accounting, /* accounting */
 132 -               NULL,                   /* checksimul */
 133 +               NULL,           /* checksimul */
 134  #ifdef WITH_PROXY
 135                 mod_pre_proxy,  /* pre-proxy */
 136                 mod_post_proxy, /* post-proxy */
 137 --
 138 1.8.5.5