Re: Serious bug in "radius" dialup authentication software

From: Dale E. Reed Jr. (daler@IEA-SOFTWARE.COM)
Date: Mon Feb 23 1998 - 11:01:11 PST

  • Next message: Josh Richards: "Re: RADIUS (Summary)"

    I would like to address the issue of RadiusNT and the below.
    
    The issue with RadiusNT and long usernames has nothing to do with
    the below code.  The issue ONLY surfaces when you have concurrency
    control enabled, and have a username higher than 60 or so characters.
    If you turn concurrency control off, RadiusNT will NOT crash
    and allows usernames up to 253 characters.
    
    RadiusNT also correctly supports string attributes up to 253
    characters long, as per the RFC.
    
    
    > >  > This is another known bug, which I call the 'magic 128.' Most, if not
    > all,
    > >  > versions of radius, be it Livingston, Merit, RadiusNT, whatever, will
    > choke
    > >  > HORRIBLY if any entered field is over 128 characters. I don't know if
    > >  > there's a workaround, but I haven't actually looked. I honestly don't
    > think
    > >  > anybody's going to bother with that one too much.
    > >
    > > Look at radius.h in the original Livingston code.  You'll see:
    > >
    > > #define AUTH_STRING_LEN         128     /* maximum of 254 */
    > >
    > > Duh! They they almost got the comment right.  AUTH_STRING_LEN is used to
    > > size strvalue in struct value_pair.  It's used like this in radiusd.c:
    > >
    > >                         case PW_TYPE_STRING:
    > >                                 memcpy(pair->strvalue, ptr, attrlen);
    > >
    > > attrlen is calculated as:
    > >
    > >                 u_char          *ptr;
    > >                 ...
    > >                 attrlen = *ptr++;
    > >                 if(attrlen < 2) {
    > >                         length = 0;
    > >                         continue;
    > >                 }
    > >                 attrlen -= 2;
    > >
    > > Ok, so with this code the max is actually 253.  Ok, copy 253 bytes
    > > inte a 128 byte array and see what happens.  I fixed this for the
    > > Ascend version, perhaps as early as late '94.
    > >
    > > // marc
    
    --
    Dale E. Reed Jr.  (daler@iea-software.com)
    _________________________________________________________________
           IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs
     Internet Solutions for Today  |   http://www.iea-software.com
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:12 PDT