[6536] in bugtraq
Re: code to crash radiusd
daemon@ATHENA.MIT.EDU (Josh Richards)
Fri Apr 17 17:05:07 1998
Date: Fri, 17 Apr 1998 10:29:30 -0700
Reply-To: Josh Richards <jrichard@LIVINGSTON.COM>
From: Josh Richards <jrichard@LIVINGSTON.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199804150938.IAA08671@venus.ati.tn>
On 15 Apr 1998, Hamdi Tounsi wrote:
>
> Hi all
> the following will crash radiusd from livingston, 1.16 and 2.0.1 97/5/22 (the
> latest version)
> i alerted livingston a few months ago ... a bugfix should be available now
Yep :)
Attached is a patch for RADIUS Server 2.0.1; feel free to give it to
anyone you like. Note that people running very old versions of ComOS
that didn't sign accounting packets will need to upgrade their ComOS to
at least release 3.3.1 before applying this patch to their RADIUS
server, if they want to keep using RADIUS Accounting. I'll place a copy
of the patch on ftp://ftp.livingston.com/pub/le/radius/
There's no patch for RADIUS 1.16; anyone who owns a Livingston
PortMaster should upgrade to RADIUS 2.0.1 at
http://www.livingston.com/Forms/radiusform.cgi and then apply this patch.
*** acct.c.old Fri Apr 17 03:03:23 1998
--- acct.c Fri Apr 17 03:09:04 1998
***************
*** 54,60 ****
#define SIGN_NOCLIENT -1
#define SIGN_MATCH 0
- #define SIGN_ZERO 1
#define SIGN_NOMATCH 2
extern char recv_buffer[4096];
--- 54,59 ----
***************
*** 90,95 ****
--- 89,98 ----
/* Verify the client */
retsig=calc_acctreq(authreq);
+ /* To be strictly compliant with the RADIUS Accounting RFC we
+ only accept packets that returned SIGN_MATCH to
+ indicate the Request-Authenticator is valid.
+ */
if (retsig == SIGN_NOCLIENT) {
/* We do not respond when this fails */
log_err("accounting: unknown client %s ignored\n",
***************
*** 97,103 ****
reqfree(authreq);
return;
} else if (retsig == SIGN_NOMATCH) {
! DEBUG("accounting: client %s sent accounting-request with invalid request authenticator\n",ip_hostname(authreq->ipaddr));
}
strcpy(clientname, client_hostname(authreq->ipaddr));
--- 100,108 ----
reqfree(authreq);
return;
} else if (retsig == SIGN_NOMATCH) {
! log_err("accounting: client %s sent accounting-request with invalid request authenticator\n",ip_hostname(authreq->ipaddr));
! reqfree(authreq);
! return;
}
strcpy(clientname, client_hostname(authreq->ipaddr));
***************
*** 132,157 ****
sprintf(buffer,"\tTimestamp = %ld\n",curtime);
fputs(buffer,outfd);
- /* To be strictly compliant with the RADIUS Accounting RFC we
- should only accept packets that returned SIGN_MATCH to
- indicate the Request-Authenticator is valid, but to provide
- compatibility with NASes that haven't implemented that yet
- we accept no authenticator (all 0's) or mistaken ones, but
- flag them as such. A future release may be more strict.
- */
- switch(retsig) {
- case SIGN_MATCH:
- /* fputs("\tRequest-Authenticator = Verified\n",outfd); */
- break;
- case SIGN_NOMATCH:
- fputs("\tRequest-Authenticator = Unverified\n",outfd);
- break;
- case SIGN_ZERO:
- fputs("\tRequest-Authenticator = None\n",outfd);
- break;
- default:
- break;
- }
fputs("\n", outfd);
fclose(outfd);
/* let NAS know it is OK to delete from buffer */
--- 137,142 ----
***************
*** 314,323 ****
*/
memset(buffer, 0, sizeof(buffer));
- if (memcmp(buffer,authreq->vector,AUTH_VECTOR_LEN) == 0) {
- /* client did not sign accounting-request */
- return(SIGN_ZERO);
- }
len = build_packet(authreq,buffer);
memset(buffer+4, 0, AUTH_VECTOR_LEN);
secretlen = strlen((char *)secret);
--- 299,304 ----
--jr
----
Josh Richards - <jrichard@livingston.com> - [Beta Engineer]
LUCENT Technologies - Remote Access Business Unit
(formerly Livingston Enterprises, Inc.)
http://www.livingston.com/
