On 15 Apr 1998, Hamdi Tounsi wrote: > > Hi all > the following will crash radiusd from livingston, 1.16 and 2.0.1 97/5/22 (the > latest version) > i alerted livingston a few months ago ... a bugfix should be available now Yep :) Attached is a patch for RADIUS Server 2.0.1; feel free to give it to anyone you like. Note that people running very old versions of ComOS that didn't sign accounting packets will need to upgrade their ComOS to at least release 3.3.1 before applying this patch to their RADIUS server, if they want to keep using RADIUS Accounting. I'll place a copy of the patch on ftp://ftp.livingston.com/pub/le/radius/ There's no patch for RADIUS 1.16; anyone who owns a Livingston PortMaster should upgrade to RADIUS 2.0.1 at http://www.livingston.com/Forms/radiusform.cgi and then apply this patch. *** acct.c.old Fri Apr 17 03:03:23 1998 --- acct.c Fri Apr 17 03:09:04 1998 *************** *** 54,60 **** #define SIGN_NOCLIENT -1 #define SIGN_MATCH 0 - #define SIGN_ZERO 1 #define SIGN_NOMATCH 2 extern char recv_buffer[4096]; --- 54,59 ---- *************** *** 90,95 **** --- 89,98 ---- /* Verify the client */ retsig=calc_acctreq(authreq); + /* To be strictly compliant with the RADIUS Accounting RFC we + only accept packets that returned SIGN_MATCH to + indicate the Request-Authenticator is valid. + */ if (retsig == SIGN_NOCLIENT) { /* We do not respond when this fails */ log_err("accounting: unknown client %s ignored\n", *************** *** 97,103 **** reqfree(authreq); return; } else if (retsig == SIGN_NOMATCH) { ! DEBUG("accounting: client %s sent accounting-request with invalid request authenticator\n",ip_hostname(authreq->ipaddr)); } strcpy(clientname, client_hostname(authreq->ipaddr)); --- 100,108 ---- reqfree(authreq); return; } else if (retsig == SIGN_NOMATCH) { ! log_err("accounting: client %s sent accounting-request with invalid request authenticator\n",ip_hostname(authreq->ipaddr)); ! reqfree(authreq); ! return; } strcpy(clientname, client_hostname(authreq->ipaddr)); *************** *** 132,157 **** sprintf(buffer,"\tTimestamp = %ld\n",curtime); fputs(buffer,outfd); - /* To be strictly compliant with the RADIUS Accounting RFC we - should only accept packets that returned SIGN_MATCH to - indicate the Request-Authenticator is valid, but to provide - compatibility with NASes that haven't implemented that yet - we accept no authenticator (all 0's) or mistaken ones, but - flag them as such. A future release may be more strict. - */ - switch(retsig) { - case SIGN_MATCH: - /* fputs("\tRequest-Authenticator = Verified\n",outfd); */ - break; - case SIGN_NOMATCH: - fputs("\tRequest-Authenticator = Unverified\n",outfd); - break; - case SIGN_ZERO: - fputs("\tRequest-Authenticator = None\n",outfd); - break; - default: - break; - } fputs("\n", outfd); fclose(outfd); /* let NAS know it is OK to delete from buffer */ --- 137,142 ---- *************** *** 314,323 **** */ memset(buffer, 0, sizeof(buffer)); - if (memcmp(buffer,authreq->vector,AUTH_VECTOR_LEN) == 0) { - /* client did not sign accounting-request */ - return(SIGN_ZERO); - } len = build_packet(authreq,buffer); memset(buffer+4, 0, AUTH_VECTOR_LEN); secretlen = strlen((char *)secret); --- 299,304 ---- --jr ---- Josh Richards - <jrichardat_private> - [Beta Engineer] LUCENT Technologies - Remote Access Business Unit (formerly Livingston Enterprises, Inc.) http://www.livingston.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:30 PDT