Specifically, EAP and non-EAP packets.
In reality, no one should be caught by this.
DECODE_FAIL_ATTRIBUTE_UNDERFLOW,
DECODE_FAIL_TOO_MANY_ATTRIBUTES,
DECODE_FAIL_MA_MISSING,
+ DECODE_FAIL_TOO_MANY_AUTH,
DECODE_FAIL_MAX
} decode_fail_t;
bool seen_ma = false;
uint32_t num_attributes;
decode_fail_t failure = DECODE_FAIL_NONE;
+ bool eap = false;
+ bool non_eap = false;
/*
* Check for packets smaller than the packet header.
*/
case PW_EAP_MESSAGE:
require_ma = true;
+ eap = true;
+ break;
+
+ case PW_USER_PASSWORD:
+ case PW_CHAP_PASSWORD:
+ case PW_ARAP_PASSWORD:
+ non_eap = true;
break;
case PW_MESSAGE_AUTHENTICATOR:
goto finish;
}
+ if (eap && non_eap) {
+ FR_DEBUG_STRERROR_PRINTF("Bad packet from host %s: Packet contains EAP-Message and non-EAP authentication attribute",
+ inet_ntop(packet->src_ipaddr.af,
+ &packet->src_ipaddr.ipaddr,
+ host_ipaddr, sizeof(host_ipaddr)));
+ failure = DECODE_FAIL_TOO_MANY_AUTH;
+ goto finish;
+ }
+
/*
* Fill RADIUS header fields
*/