Refuse an incomplete config, an authentication block which doesn't

have authentication module.  The code doesn't expect this.

diff --git a/usr.sbin/radiusd/parse.y b/usr.sbin/radiusd/parse.y
index ba3399f..ef17ae1 100644 (file)
--- a/usr.sbin/radiusd/parse.y
+++ b/usr.sbin/radiusd/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.15 2023/09/04 12:28:18 yasuoka Exp $      */
+/*     $OpenBSD: parse.y,v 1.16 2023/09/05 00:32:01 yasuoka Exp $      */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -312,6 +312,11 @@ authenticate       : AUTHENTICATE {
                } str_l optnl '{' authopts '}' {
                        struct radiusd_authentication *a;
 
+                       if (authen.auth == NULL) {
+                               free_str_l(&$3);
+                               yyerror("no authentication module specified");
+                               YYERROR;
+                       }
                        if ((a = calloc(1,
                            sizeof(struct radiusd_authentication))) == NULL) {
                                free_str_l(&$3);

diff --git a/usr.sbin/radiusd/radiusd.c b/usr.sbin/radiusd/radiusd.c
index b6d08eb..8e63f97 100644 (file)
--- a/usr.sbin/radiusd/radiusd.c
+++ b/usr.sbin/radiusd/radiusd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: radiusd.c,v 1.30 2023/09/04 23:55:23 yasuoka Exp $    */
+/*     $OpenBSD: radiusd.c,v 1.31 2023/09/05 00:32:01 yasuoka Exp $    */
 
 /*
  * Copyright (c) 2013 Internet Initiative Japan Inc.
@@ -490,6 +490,8 @@ radiusd_listen_on_event(int fd, short evmask, void *ctx)
                        goto on_error;
                }
 found:
+               RADIUSD_ASSERT(authen->auth != NULL);
+
                if (!MODULE_DO_USERPASS(authen->auth->module) &&
                    !MODULE_DO_ACCSREQ(authen->auth->module)) {
                        log_warnx("Received %s(code=%d) from %s id=%d "