welterde/l2tpns
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

more paranoid length checking for RADIUS replies

Browse source
This commit is contained in:
Brendan O'Dea 2004-11-30 06:50:26 +00:00
parent 018b6df641
commit c8c832860d
1 changed files with 42 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

26
radius.c
View file

@ -1,6 +1,6 @@
// L2TPNS Radius Stuff // L2TPNS Radius Stuff
char const *cvs_id_radius = "$Id: radius.c,v 1.18 2004-11-29 02:17:18 bodea Exp $"; char const *cvs_id_radius = "$Id: radius.c,v 1.19 2004-11-30 06:50:26 bodea Exp $";
#include <time.h> #include <time.h>
#include <stdio.h> #include <stdio.h>
@ -471,11 +471,12 @@ void processrad(u8 *buf, int len, char socket_index)
// Extract IP, routes, etc // Extract IP, routes, etc
u8 *p = buf + 20; u8 *p = buf + 20;
u8 *e = buf + len; u8 *e = buf + len;
for (p = buf + 20; p < e && p[1]; p += p[1]) for (; p + 2 <= e && p[1] && p + p[1] <= e; p += p[1])
{ {
if (*p == 8) if (*p == 8)
{ {
// Framed-IP-Address // Framed-IP-Address
if (p[1] < 6) continue;
session[s].ip = ntohl(*(u32 *) (p + 2)); session[s].ip = ntohl(*(u32 *) (p + 2));
session[s].ip_pool_index = -1; session[s].ip_pool_index = -1;
LOG(3, s, session[s].tunnel, " Radius reply contains IP address %s\n", LOG(3, s, session[s].tunnel, " Radius reply contains IP address %s\n",
@ -484,6 +485,7 @@ void processrad(u8 *buf, int len, char socket_index)
else if (*p == 135) else if (*p == 135)
{ {
// DNS address // DNS address
if (p[1] < 6) continue;
session[s].dns1 = ntohl(*(u32 *) (p + 2)); session[s].dns1 = ntohl(*(u32 *) (p + 2));
LOG(3, s, session[s].tunnel, " Radius reply contains primary DNS address %s\n", LOG(3, s, session[s].tunnel, " Radius reply contains primary DNS address %s\n",
fmtaddr(htonl(session[s].dns1), 0)); fmtaddr(htonl(session[s].dns1), 0));
@ -491,6 +493,7 @@ void processrad(u8 *buf, int len, char socket_index)
else if (*p == 136) else if (*p == 136)
{ {
// DNS address // DNS address
if (p[1] < 6) continue;
session[s].dns2 = ntohl(*(u32 *) (p + 2)); session[s].dns2 = ntohl(*(u32 *) (p + 2));
LOG(3, s, session[s].tunnel, " Radius reply contains secondary DNS address %s\n", LOG(3, s, session[s].tunnel, " Radius reply contains secondary DNS address %s\n",
fmtaddr(htonl(session[s].dns2), 0)); fmtaddr(htonl(session[s].dns2), 0));
@ -581,19 +584,23 @@ void processrad(u8 *buf, int len, char socket_index)
LOG(3, s, session[s].tunnel, " Unknown filter\n"); LOG(3, s, session[s].tunnel, " Unknown filter\n");
} }
else if (*p == 26) else if (*p == 26 && p[1] >= 7)
{ {
// Vendor-Specific Attribute // Vendor-Specific Attribute
int vendor = ntohl(*(int *)(p + 2)); int vendor = ntohl(*(int *)(p + 2));
char attrib = *(p + 6); char attrib = *(p + 6);
char attrib_length = *(p + 7) - 2; char attrib_length = *(p + 7) - 2;
LOG(3, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor, attrib, attrib_length);
if (attrib_length == 0) continue;
if (attrib != 1)
LOG(3, s, session[s].tunnel, " Unknown vendor-specific\n");
else
{
char *avpair, *value, *key, *newp; char *avpair, *value, *key, *newp;
LOG(3, s, session[s].tunnel, " Radius reply contains Vendor-Specific. Vendor=%d Attrib=%d Length=%d\n", vendor, attrib, attrib_length);
if (vendor != 9 || attrib != 1)
{
LOG(3, s, session[s].tunnel, " Unknown vendor-specific\n");
continue;
}
if (attrib_length < 0) continue;
avpair = key = calloc(attrib_length + 1, 1); avpair = key = calloc(attrib_length + 1, 1);
memcpy(avpair, p + 8, attrib_length); memcpy(avpair, p + 8, attrib_length);
LOG(3, s, session[s].tunnel, " Cisco-Avpair value: %s\n", avpair); LOG(3, s, session[s].tunnel, " Cisco-Avpair value: %s\n", avpair);
@ -625,7 +632,6 @@ void processrad(u8 *buf, int len, char socket_index)
} }
} }
} }
}
else if (*buf == 3) else if (*buf == 3)
{ {
LOG(2, s, session[s].tunnel, " Authentication denied for %s\n", session[s].user); LOG(2, s, session[s].tunnel, " Authentication denied for %s\n", session[s].user);