The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Serious bug in "radius" dialup authentication software


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Mon, 23 Feb 1998 12:43:22 +0500 (ESK)
Date: Sun, 22 Feb 1998 18:32:01 -0800
From: Marco S Hyman <[email protected]>
To: [email protected]
Subject: Re: Serious bug in "radius" dialup authentication software

"Phillip R. Jaenke" writes:

 > This is another known bug, which I call the 'magic 128.' Most, if not all,
 > versions of radius, be it Livingston, Merit, RadiusNT, whatever, will choke
 > HORRIBLY if any entered field is over 128 characters. I don't know if
 > there's a workaround, but I haven't actually looked. I honestly don't think
 > anybody's going to bother with that one too much.

Look at radius.h in the original Livingston code.  You'll see:

#define AUTH_STRING_LEN         128     /* maximum of 254 */

Duh! They they almost got the comment right.  AUTH_STRING_LEN is used to
size strvalue in struct value_pair.  It's used like this in radiusd.c:

                        case PW_TYPE_STRING:
                                memcpy(pair->strvalue, ptr, attrlen);

attrlen is calculated as:

                u_char          *ptr;
                ...
                attrlen = *ptr++;
                if(attrlen < 2) {
                        length = 0;
                        continue;
                }
                attrlen -= 2;

Ok, so with this code the max is actually 253.  Ok, copy 253 bytes
inte a 128 byte array and see what happens.  I fixed this for the
Ascend version, perhaps as early as late '94.

// marc

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру