From bf588d6e13b974150a39fe646be5b9273b4b7036 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Tue, 7 Feb 2017 14:32:00 -0500 Subject: [PATCH] reject packets which contain multiple kinds of authentication protocols Specifically, EAP and non-EAP packets. In reality, no one should be caught by this. --- src/include/libradius.h | 1 + src/lib/radius.c | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/src/include/libradius.h b/src/include/libradius.h index a3c8f58..4a79857 100644 --- a/src/include/libradius.h +++ b/src/include/libradius.h @@ -418,6 +418,7 @@ typedef enum { DECODE_FAIL_ATTRIBUTE_UNDERFLOW, DECODE_FAIL_TOO_MANY_ATTRIBUTES, DECODE_FAIL_MA_MISSING, + DECODE_FAIL_TOO_MANY_AUTH, DECODE_FAIL_MAX } decode_fail_t; diff --git a/src/lib/radius.c b/src/lib/radius.c index 53d45e2..ad6b15b 100644 --- a/src/lib/radius.c +++ b/src/lib/radius.c @@ -2344,6 +2344,8 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) bool seen_ma = false; uint32_t num_attributes; decode_fail_t failure = DECODE_FAIL_NONE; + bool eap = false; + bool non_eap = false; /* * Check for packets smaller than the packet header. @@ -2549,6 +2551,13 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) */ case PW_EAP_MESSAGE: require_ma = true; + eap = true; + break; + + case PW_USER_PASSWORD: + case PW_CHAP_PASSWORD: + case PW_ARAP_PASSWORD: + non_eap = true; break; case PW_MESSAGE_AUTHENTICATOR: @@ -2626,6 +2635,15 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) goto finish; } + if (eap && non_eap) { + FR_DEBUG_STRERROR_PRINTF("Bad packet from host %s: Packet contains EAP-Message and non-EAP authentication attribute", + inet_ntop(packet->src_ipaddr.af, + &packet->src_ipaddr.ipaddr, + host_ipaddr, sizeof(host_ipaddr))); + failure = DECODE_FAIL_TOO_MANY_AUTH; + goto finish; + } + /* * Fill RADIUS header fields */ -- 2.1.4