[6157] in bugtraq
Re: Serious bug in "radius" dialup authentication software
daemon@ATHENA.MIT.EDU (Marco S Hyman)
Mon Feb 23 00:20:52 1998
Date: Sun, 22 Feb 1998 18:32:01 -0800
Reply-To: Marco S Hyman <marc@SNAFU.ORG>
From: Marco S Hyman <marc@SNAFU.ORG>
X-To: "Phillip R. Jaenke" <prj@NS2.NLS.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sun, 22 Feb 1998 14:17:19 +0100."
<l03010d01b115d4fd398e@[207.206.21.19]>
"Phillip R. Jaenke" writes:
> This is another known bug, which I call the 'magic 128.' Most, if not all,
> versions of radius, be it Livingston, Merit, RadiusNT, whatever, will choke
> HORRIBLY if any entered field is over 128 characters. I don't know if
> there's a workaround, but I haven't actually looked. I honestly don't think
> anybody's going to bother with that one too much.
Look at radius.h in the original Livingston code. You'll see:
#define AUTH_STRING_LEN 128 /* maximum of 254 */
Duh! They they almost got the comment right. AUTH_STRING_LEN is used to
size strvalue in struct value_pair. It's used like this in radiusd.c:
case PW_TYPE_STRING:
memcpy(pair->strvalue, ptr, attrlen);
attrlen is calculated as:
u_char *ptr;
...
attrlen = *ptr++;
if(attrlen < 2) {
length = 0;
continue;
}
attrlen -= 2;
Ok, so with this code the max is actually 253. Ok, copy 253 bytes
inte a 128 byte array and see what happens. I fixed this for the
Ascend version, perhaps as early as late '94.
// marc
