X-RDate: Mon, 23 Feb 1998 12:43:22 +0500 (ESK)
Date: Sun, 22 Feb 1998 18:32:01 -0800
From: Marco S Hyman <marc@snafu.org>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Serious bug in "radius" dialup authentication software
"Phillip R. Jaenke" writes:
> This is another known bug, which I call the 'magic 128.' Most, if not all,
> versions of radius, be it Livingston, Merit, RadiusNT, whatever, will choke
> HORRIBLY if any entered field is over 128 characters. I don't know if
> there's a workaround, but I haven't actually looked. I honestly don't think
> anybody's going to bother with that one too much.
Look at radius.h in the original Livingston code. You'll see:
#define AUTH_STRING_LEN 128 /* maximum of 254 */
Duh! They they almost got the comment right. AUTH_STRING_LEN is used to
size strvalue in struct value_pair. It's used like this in radiusd.c:
case PW_TYPE_STRING:
memcpy(pair->strvalue, ptr, attrlen);
attrlen is calculated as:
u_char *ptr;
...
attrlen = *ptr++;
if(attrlen < 2) {
length = 0;
continue;
}
attrlen -= 2;
Ok, so with this code the max is actually 253. Ok, copy 253 bytes
inte a 128 byte array and see what happens. I fixed this for the
Ascend version, perhaps as early as late '94.
// marc
