Fix multiple bugs with ctld's UCL parsing

* Don't segfault when parsing a misformatted auth-group section * If the config file specifies a chap section within a target but no auth-group, create a new anonymous auth-group. That matches the behavior with non-UCL config files. * Protect some potential segfaults with assertions PR: 274380 MFC after: 1 week Sponsored by: Axcient Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D43198
rcbchan · Dec 27, 2023 · 2391e53 · 2391e53
1 parent c4368d0
commit 2391e53
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/usr.sbin/ctld/ctld.c b/usr.sbin/ctld/ctld.c
@@ -532,6 +532,7 @@ auth_group_find(const struct conf *conf, const char *name)
 {
 	struct auth_group *ag;
 
+	assert(name != NULL);
 	TAILQ_FOREACH(ag, &conf->conf_auth_groups, ag_next) {
 		if (ag->ag_name != NULL && strcmp(ag->ag_name, name) == 0)
 			return (ag);

diff --git a/usr.sbin/ctld/uclparse.c b/usr.sbin/ctld/uclparse.c
@@ -60,6 +60,7 @@ uclparse_chap(struct auth_group *auth_group, const ucl_object_t *obj)
 	const struct auth *ca;
 	const ucl_object_t *user, *secret;
 
+	assert(auth_group != NULL);
 	user = ucl_object_find_key(obj, "user");
 	if (!user || user->type != UCL_STRING) {
 		log_warnx("chap section in auth-group \"%s\" is missing "
@@ -90,6 +91,7 @@ uclparse_chap_mutual(struct auth_group *auth_group, const ucl_object_t *obj)
 	const ucl_object_t *user, *secret, *mutual_user;
 	const ucl_object_t *mutual_secret;
 
+	assert(auth_group != NULL);
 	user = ucl_object_find_key(obj, "user");
 	if (!user || user->type != UCL_STRING) {
 		log_warnx("chap-mutual section in auth-group \"%s\" is missing "
@@ -714,6 +716,8 @@ uclparse_target(const char *name, const ucl_object_t *top)
 		}
 
 		if (!strcmp(key, "auth-group")) {
+			const char *ag;
+
 			if (target->t_auth_group != NULL) {
 				if (target->t_auth_group->ag_name != NULL)
 					log_warnx("auth-group for target \"%s\" "
@@ -725,8 +729,12 @@ uclparse_target(const char *name, const ucl_object_t *top)
 					    "target \"%s\"", target->t_name);
 				return (1);
 			}
-			target->t_auth_group = auth_group_find(conf,
-			    ucl_object_tostring(obj));
+			ag = ucl_object_tostring(obj);
+			if (!ag) {
+				log_warnx("auth-group must be a string");
+				return (1);
+			}
+			target->t_auth_group = auth_group_find(conf, ag);
 			if (target->t_auth_group == NULL) {
 				log_warnx("unknown auth-group \"%s\" for target "
 				    "\"%s\"", ucl_object_tostring(obj),
@@ -759,6 +767,20 @@ uclparse_target(const char *name, const ucl_object_t *top)
 		}
 
 		if (!strcmp(key, "chap")) {
+			if (target->t_auth_group != NULL) {
+				if (target->t_auth_group->ag_name != NULL) {
+					log_warnx("cannot use both auth-group "
+					    "and chap for target \"%s\"",
+					    target->t_name);
+					return (1);
+				}
+			} else {
+				target->t_auth_group = auth_group_new(conf, NULL);
+				if (target->t_auth_group == NULL) {
+					return (1);
+				}
+				target->t_auth_group->ag_target = target;
+			}
 			if (uclparse_chap(target->t_auth_group, obj) != 0)
 				return (1);
 		}