From: Nick Porter <nick@portercomputing.co.uk>
Date: Tue, 22 Oct 2024 08:30:17 +0000 (+0100)
Subject: Closed SQL connections can't be used for escaping
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bd00c4c2d3f809e8428bd4cd06fcae6656b3871;p=thirdparty%2Ffreeradius-server.git

Closed SQL connections can't be used for escaping

The handle gets freed when the connection is closed
---

diff --git a/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c b/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
index 55efd057e06..b38a036e59f 100644
--- a/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
+++ b/src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
@@ -835,11 +835,18 @@ static int sql_affected_rows(fr_sql_query_t *query_ctx, UNUSED rlm_sql_config_t
 	return mysql_affected_rows(conn->sock);
 }
 
-static ssize_t sql_escape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, void *arg)
+static ssize_t sql_escape_func(request_t *request, char *out, size_t outlen, char const *in, void *arg)
 {
 	size_t			inlen;
 	connection_t		*c = talloc_get_type_abort(arg, connection_t);
-	rlm_sql_mysql_conn_t	*conn = talloc_get_type_abort(c->h, rlm_sql_mysql_conn_t);
+	rlm_sql_mysql_conn_t	*conn;
+
+	if ((c->state == CONNECTION_STATE_HALTED) || (c->state == CONNECTION_STATE_CLOSED)) {
+		ROPTIONAL(RERROR, ERROR, "Connection not available for escaping");
+		return -1;
+	}
+
+	conn = talloc_get_type_abort(c->h, rlm_sql_mysql_conn_t);
 
 	/* Check for potential buffer overflow */
 	inlen = strlen(in);
diff --git a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
index f6bb2bc55ea..7da0a064c85 100644
--- a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
+++ b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
@@ -659,9 +659,16 @@ static ssize_t sql_escape_func(request_t *request, char *out, size_t outlen, cha
 {
 	size_t			inlen, ret;
 	connection_t		*c = talloc_get_type_abort(arg, connection_t);
-	rlm_sql_postgres_conn_t	*conn = talloc_get_type_abort(c->h, rlm_sql_postgres_conn_t);
+	rlm_sql_postgres_conn_t	*conn;
 	int			err;
 
+	if ((c->state == CONNECTION_STATE_HALTED) || (c->state == CONNECTION_STATE_CLOSED)) {
+		ROPTIONAL(RERROR, ERROR, "Connection not available for escaping");
+		return -1;
+	}
+
+	conn = talloc_get_type_abort(c->h, rlm_sql_postgres_conn_t);
+
 	/* Check for potential buffer overflow */
 	inlen = strlen(in);
 	if ((inlen * 2 + 1) > outlen) return 0;