From: Arran Cudbard-Bell Date: Sun, 10 Oct 2021 16:59:35 +0000 (-0500) Subject: Add tain to fr_pair_value_strdup X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=868ebe69702ffa0191ac47afe7de995dde4ad5e0;p=thirdparty%2Ffreeradius-server.git Add tain to fr_pair_value_strdup --- diff --git a/src/bin/radclient.c b/src/bin/radclient.c index 1659c2ac279..dcb781aabdf 100644 --- a/src/bin/radclient.c +++ b/src/bin/radclient.c @@ -837,7 +837,7 @@ static int send_one_packet(rc_request_t *request) fr_pair_t *vp; if ((vp = fr_pair_find_by_da(&request->request_pairs, attr_user_password, 0)) != NULL) { - fr_pair_value_strdup(vp, request->password->vp_strvalue); + fr_pair_value_strdup(vp, request->password->vp_strvalue, false); } else if ((vp = fr_pair_find_by_da(&request->request_pairs, attr_chap_password, 0)) != NULL) { uint8_t buffer[17]; diff --git a/src/lib/server/exfile.c b/src/lib/server/exfile.c index f50a002c581..e0609c74a74 100644 --- a/src/lib/server/exfile.c +++ b/src/lib/server/exfile.c @@ -90,7 +90,7 @@ static inline void exfile_trigger_exec(exfile_t *ef, exfile_entry_t *entry, char fr_dcursor_init(&cursor, fr_pair_list_order(&args)); MEM(vp = fr_pair_afrom_da(NULL, da)); - fr_pair_value_strdup(vp, entry->filename); + fr_pair_value_strdup(vp, entry->filename, false); fr_dcursor_prepend(&cursor, vp); diff --git a/src/lib/server/log.c b/src/lib/server/log.c index 952185e833d..8bda670a648 100644 --- a/src/lib/server/log.c +++ b/src/lib/server/log.c @@ -554,7 +554,7 @@ void vlog_module_failure_msg(request_t *request, char const *fmt, va_list ap) if (request->module && (request->module[0] != '\0')) { fr_pair_value_aprintf(vp, "%s: %s", request->module, p); } else { - fr_pair_value_strdup(vp, p); + fr_pair_value_strdup(vp, p, false); } talloc_free(p); diff --git a/src/lib/server/trigger.c b/src/lib/server/trigger.c index 0171585fae4..a13b0295d1c 100644 --- a/src/lib/server/trigger.c +++ b/src/lib/server/trigger.c @@ -495,7 +495,7 @@ void trigger_args_afrom_server(TALLOC_CTX *ctx, fr_pair_list_t *list, char const } MEM(vp = fr_pair_afrom_da(ctx, server_da)); - fr_pair_value_strdup(vp, server); + fr_pair_value_strdup(vp, server, false); fr_pair_append(list, vp); MEM(vp = fr_pair_afrom_da(ctx, port_da)); diff --git a/src/lib/tls/pairs.c b/src/lib/tls/pairs.c index efa8c948d09..098f31bc7be 100644 --- a/src/lib/tls/pairs.c +++ b/src/lib/tls/pairs.c @@ -118,7 +118,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c OBJ_obj2txt(buff, sizeof(buff), alg->algorithm, 0); MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_signature_algorithm) == 0); - fr_pair_value_strdup(vp, buff); + fr_pair_value_strdup(vp, buff, false); } /* diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c index d2cb594a3d2..8abaa46ebfa 100644 --- a/src/lib/tls/session.c +++ b/src/lib/tls/session.c @@ -1099,7 +1099,7 @@ static unlang_action_t tls_session_async_handshake_done_round(UNUSED rlm_rcode_t RDEBUG2("Adding TLS session information to request"); vp = fr_pair_afrom_da(request->session_state_ctx, attr_tls_session_cipher_suite); if (vp) { - fr_pair_value_strdup(vp, SSL_CIPHER_get_name(cipher)); + fr_pair_value_strdup(vp, SSL_CIPHER_get_name(cipher), false); fr_pair_append(&request->session_state_pairs, vp); RINDENT(); RDEBUG2("&session-state.%pP", vp); @@ -1115,7 +1115,7 @@ static unlang_action_t tls_session_async_handshake_done_round(UNUSED rlm_rcode_t vp = fr_pair_afrom_da(request->session_state_ctx, attr_tls_session_version); if (vp) { - fr_pair_value_strdup(vp, version); + fr_pair_value_strdup(vp, version, false); fr_pair_append(&request->session_state_pairs, vp); RINDENT(); RDEBUG2("&session-state.TLS-Session-Version := \"%s\"", version); diff --git a/src/lib/util/pair.c b/src/lib/util/pair.c index 2f3b05bc3b2..6e53ee230f4 100644 --- a/src/lib/util/pair.c +++ b/src/lib/util/pair.c @@ -1681,20 +1681,21 @@ int fr_pair_value_from_str(fr_pair_t *vp, char const *value, ssize_t inlen, char * * @note vp->da must be of type FR_TYPE_STRING. * - * @param[in,out] vp to update - * @param[in] src data to copy + * @param[in,out] vp to update + * @param[in] src data to copy + * @param[in] tainted Whether the value came from a trusted source. * @return * - 0 on success. * - -1 on failure. */ -int fr_pair_value_strdup(fr_pair_t *vp, char const *src) +int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted) { int ret; if (!fr_cond_assert(vp->da->type == FR_TYPE_STRING)) return -1; fr_value_box_clear(&vp->data); /* Free any existing buffers */ - ret = fr_value_box_strdup(vp, &vp->data, vp->da, src, false); + ret = fr_value_box_strdup(vp, &vp->data, vp->da, src, tainted); if (ret == 0) { vp->type = VT_DATA; VP_VERIFY(vp); diff --git a/src/lib/util/pair.h b/src/lib/util/pair.h index 58969baa326..a6703f899f2 100644 --- a/src/lib/util/pair.h +++ b/src/lib/util/pair.h @@ -342,7 +342,7 @@ int fr_pair_value_copy(fr_pair_t *dst, fr_pair_t *src); */ int fr_pair_value_from_str(fr_pair_t *vp, char const *value, ssize_t len, char quote, bool tainted); -int fr_pair_value_strdup(fr_pair_t *vp, char const *src); +int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted) CC_HINT(nonnull); int fr_pair_value_strdup_shallow(fr_pair_t *vp, char const *src, bool tainted); diff --git a/src/lib/util/pair_tests.c b/src/lib/util/pair_tests.c index 69d94e532c7..ec68114c481 100644 --- a/src/lib/util/pair_tests.c +++ b/src/lib/util/pair_tests.c @@ -580,7 +580,7 @@ static void test_fr_pair_value_strdup(void) VP_VERIFY(vp); TEST_CASE("Copy content of 'test_string' to attribute value using fr_pair_value_strdup()"); - TEST_CHECK(fr_pair_value_strdup(vp, test_string) == 0); + TEST_CHECK(fr_pair_value_strdup(vp, test_string, false) == 0); TEST_CASE("Validating VP_VERIFY()"); VP_VERIFY(vp); @@ -626,7 +626,7 @@ static void test_fr_pair_value_strtrim(void) VP_VERIFY(vp); TEST_CASE("Copy content of 'test_string' to attribute value using fr_pair_value_strdup_shallow()"); - TEST_CHECK(fr_pair_value_strdup(vp, test_string) == 0); + TEST_CHECK(fr_pair_value_strdup(vp, test_string, false) == 0); TEST_CASE("Trim the length of the string buffer using fr_pair_value_strtrim()"); TEST_CHECK(fr_pair_value_strtrim(vp) == 0); diff --git a/src/listen/radius/proto_radius.c b/src/listen/radius/proto_radius.c index 82385354414..0aa83ce549e 100644 --- a/src/listen/radius/proto_radius.c +++ b/src/listen/radius/proto_radius.c @@ -274,7 +274,7 @@ static int mod_decode(void const *instance, request_t *request, uint8_t *const d break; case FR_TYPE_STRING: - fr_pair_value_strdup(vp, ""); + fr_pair_value_strdup(vp, "", true); break; } } diff --git a/src/listen/tacacs/proto_tacacs.c b/src/listen/tacacs/proto_tacacs.c index 43c775b4e86..bdfe1880591 100644 --- a/src/listen/tacacs/proto_tacacs.c +++ b/src/listen/tacacs/proto_tacacs.c @@ -273,7 +273,7 @@ static int mod_decode(void const *instance, request_t *request, uint8_t *const d break; case FR_TYPE_STRING: - fr_pair_value_strdup(vp, ""); + fr_pair_value_strdup(vp, "", true); break; } } diff --git a/src/modules/proto_ldap_sync/proto_ldap_sync.c b/src/modules/proto_ldap_sync/proto_ldap_sync.c index aa22c77e964..f4b88f2fd78 100644 --- a/src/modules/proto_ldap_sync/proto_ldap_sync.c +++ b/src/modules/proto_ldap_sync/proto_ldap_sync.c @@ -537,18 +537,18 @@ static int proto_ldap_attributes_add(request_t *request, sync_config_t const *co fr_pair_t *vp; MEM(pair_append_request(&vp, attr_ldap_sync_dn) == 0); - fr_pair_value_strdup(vp, config->base_dn); + fr_pair_value_strdup(vp, config->base_dn, false); if (config->filter) { MEM(pair_update_request(&vp, attr_ldap_sync_filter) >= 0); - fr_pair_value_strdup(vp, config->filter); + fr_pair_value_strdup(vp, config->filter, false); } if (config->attrs) { char const *attrs_p; for (attrs_p = *config->attrs; *attrs_p; attrs_p++) { MEM(pair_append_request(&vp, attr_ldap_sync_attr) == 0); - fr_pair_value_strdup(vp, attrs_p); + fr_pair_value_strdup(vp, attrs_p, false); } } diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c index 4cda58c3867..6d39d0f6d8b 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -730,7 +730,7 @@ packet_ready: * FIXME: Put it into MS-CHAP-Domain? */ username++; /* skip the \\ */ - fr_pair_value_strdup(auth_challenge, username); + fr_pair_value_strdup(auth_challenge, username, auth_challenge->vp_tainted); } /* diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index b8ac86bb3d7..cc25f859331 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@ -323,7 +323,7 @@ do_value: /* * Diameter pads strings (i.e. User-Password) with trailing zeros. */ - if (vp->vp_type == FR_TYPE_STRING) fr_pair_value_strdup(vp, vp->vp_strvalue); + if (vp->vp_type == FR_TYPE_STRING) fr_pair_value_strdup(vp, vp->vp_strvalue, vp->vp_tainted); } /* diff --git a/src/modules/rlm_ldap/groups.c b/src/modules/rlm_ldap/groups.c index f9c4cb0261c..8b38843dd5f 100644 --- a/src/modules/rlm_ldap/groups.c +++ b/src/modules/rlm_ldap/groups.c @@ -406,7 +406,7 @@ unlang_action_t rlm_ldap_cacheable_userobj(rlm_rcode_t *p_result, rlm_ldap_t con for (dn_p = group_dn; *dn_p; dn_p++) { MEM(vp = fr_pair_afrom_da(list_ctx, inst->cache_da)); - fr_pair_value_strdup(vp, *dn_p); + fr_pair_value_strdup(vp, *dn_p, false); fr_pair_append(list, vp); RDEBUG2("&control.%s += \"%pV\"", inst->cache_da->name, &vp->data); @@ -503,7 +503,7 @@ unlang_action_t rlm_ldap_cacheable_groupobj(rlm_rcode_t *p_result, rlm_ldap_t co fr_ldap_util_normalise_dn(dn, dn); MEM(pair_append_control(&vp, inst->cache_da) == 0); - fr_pair_value_strdup(vp, dn); + fr_pair_value_strdup(vp, dn, false); RINDENT(); RDEBUG2("&control.%pP", vp); diff --git a/src/modules/rlm_ldap/user.c b/src/modules/rlm_ldap/user.c index c7ad63e643f..b84768a5d4f 100644 --- a/src/modules/rlm_ldap/user.c +++ b/src/modules/rlm_ldap/user.c @@ -197,7 +197,7 @@ char const *rlm_ldap_find_user(rlm_ldap_t const *inst, request_t *request, fr_ld RDEBUG2("User object found at DN \"%s\"", dn); MEM(pair_update_control(&vp, attr_ldap_userdn) >= 0); - fr_pair_value_strdup(vp, dn); + fr_pair_value_strdup(vp, dn, false); *rcode = RLM_MODULE_OK; ldap_memfree(dn); diff --git a/src/modules/rlm_radius/rlm_radius_udp.c b/src/modules/rlm_radius/rlm_radius_udp.c index 76c2f6e11c0..df70cfd7de0 100644 --- a/src/modules/rlm_radius/rlm_radius_udp.c +++ b/src/modules/rlm_radius/rlm_radius_udp.c @@ -405,7 +405,7 @@ static void CC_HINT(nonnull) status_check_alloc(udp_handle_t *h) fr_pair_t *vp; MEM(pair_append_request(&vp, attr_nas_identifier) >= 0); - fr_pair_value_strdup(vp, "status check - are you alive?"); + fr_pair_value_strdup(vp, "status check - are you alive?", false); } /* diff --git a/src/modules/rlm_securid/rlm_securid.c b/src/modules/rlm_securid/rlm_securid.c index 8b5579dc43c..de50fa5081a 100644 --- a/src/modules/rlm_securid/rlm_securid.c +++ b/src/modules/rlm_securid/rlm_securid.c @@ -535,7 +535,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, if (*buffer) { MEM(pair_update_reply(&vp, attr_reply_message) >= 0); - fr_pair_value_strdup(vp, buffer); + fr_pair_value_strdup(vp, buffer, false); } RETURN_MODULE_RCODE(rcode); } diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c index 14b60017bc2..a8d50a84563 100644 --- a/src/modules/rlm_sql/rlm_sql.c +++ b/src/modules/rlm_sql/rlm_sql.c @@ -855,7 +855,7 @@ static unlang_action_t rlm_sql_process_groups(rlm_rcode_t *p_result, do { next: fr_assert(entry != NULL); - fr_pair_value_strdup(sql_group, entry->name); + fr_pair_value_strdup(sql_group, entry->name, true); if (inst->config->authorize_group_check_query) { fr_pair_t *vp; diff --git a/src/modules/rlm_sqlcounter/rlm_sqlcounter.c b/src/modules/rlm_sqlcounter/rlm_sqlcounter.c index 175f5fa7858..cac968b21da 100644 --- a/src/modules/rlm_sqlcounter/rlm_sqlcounter.c +++ b/src/modules/rlm_sqlcounter/rlm_sqlcounter.c @@ -442,7 +442,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", inst->reset); MEM(pair_update_reply(&vp, attr_reply_message) >= 0); - fr_pair_value_strdup(vp, msg); + fr_pair_value_strdup(vp, msg, false); REDEBUG2("Maximum %s usage time reached", inst->reset); REDEBUG2("Rejecting user, %s value (%" PRIu64 ") is less than counter value (%" PRIu64 ")", diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c index e3324fb7f82..28c691619df 100644 --- a/src/modules/rlm_unix/rlm_unix.c +++ b/src/modules/rlm_unix/rlm_unix.c @@ -299,7 +299,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, UNU RETURN_MODULE_NOOP; MEM(pair_update_control(&vp, attr_crypt_password) >= 0); - fr_pair_value_strdup(vp, encrypted_pass); + fr_pair_value_strdup(vp, encrypted_pass, false); RETURN_MODULE_UPDATED; } diff --git a/src/modules/rlm_yubikey/rlm_yubikey.c b/src/modules/rlm_yubikey/rlm_yubikey.c index 36bd0a409e6..b810e3c8c03 100644 --- a/src/modules/rlm_yubikey/rlm_yubikey.c +++ b/src/modules/rlm_yubikey/rlm_yubikey.c @@ -335,7 +335,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod * portion. */ MEM(pair_update_request(&vp, attr_yubikey_otp) >= 0); - fr_pair_value_strdup(vp, otp); + fr_pair_value_strdup(vp, otp, password->vp_tainted); /* * Replace the existing string buffer for the password diff --git a/src/process/tacacs/base.c b/src/process/tacacs/base.c index 9c6ee5843e5..56a76bce996 100644 --- a/src/process/tacacs/base.c +++ b/src/process/tacacs/base.c @@ -167,7 +167,7 @@ static void message_failed(request_t *request, PROCESS_INST *inst, fr_process_st */ if (!fr_pair_find_by_da(&request->reply_pairs, attr_tacacs_server_message, 0)) { MEM(pair_update_reply(&vp, attr_tacacs_server_message) >= 0); - fr_pair_value_strdup(vp, msg); + fr_pair_value_strdup(vp, msg, false); } /* diff --git a/src/protocols/radius/abinary.c b/src/protocols/radius/abinary.c index c5f00edd193..97d2b117362 100644 --- a/src/protocols/radius/abinary.c +++ b/src/protocols/radius/abinary.c @@ -1536,7 +1536,7 @@ ssize_t fr_radius_decode_abinary(fr_pair_t *vp, uint8_t const *data, size_t data /* * Copy the finished string to the output VP. */ - if (fr_pair_value_strdup(vp, string) < 0) return -1; + if (fr_pair_value_strdup(vp, string, true) < 0) return -1; return 0; }