Bug#530513: freeradius: double quotes in the password break when proxying with rlm_perl

Mon, 25 May 2009 04:34:22 -0700 

Package: freeradius
Version: 2.0.4+dfsg-6
Severity: normal
Tags: patch fixed-upstream

As seen in

 https://lists.freeradius.org/pipermail/freeradius-devel/2009-May/013106.html

there's a problem with proxying authentication requests when the rlm_perl
module is used and the password contains a double quote (") or a backslash (\).

The attached patch fixes the problem and was recently committed to the
upstream repository. Filing this to track the issue for squeeze; while
I'd love to see it fixed for lenny in a stable update, I doubt it meets
the criteria.

Thanks for maintaining freeradius,
-- 
Niko Tyni   nt...@debian.org

>From fa2e002271ee59410ec089540317f7e5d7ddcd2b Mon Sep 17 00:00:00 2001
From: Niko Tyni <nt...@cc.helsinki.fi>
Date: Wed, 20 May 2009 12:11:19 +0300
Subject: [PATCH] make_passwd: only use 'inlen' bytes of the input string

In some situations (at least a roundtrip through the rlm_perl module)
the User-Password value pair can have extra non-null bytes at the end
so that strlen(vp->data.strvalue) > vp->length.

These extra bytes shold not be used by make_passwd to construct the
Message-Authenticator, so copy just 'inlen' bytes of the input string
before rounding up the length.
---
 src/lib/radius.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 679e2ae..b49f0df 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -438,10 +438,15 @@ static void make_passwd(uint8_t *output, int *outlen,
 	 *	If the length is zero, round it up.
 	 */
 	len = inlen;
+
+	if (len > MAX_PASS_LEN) len = MAX_PASS_LEN;
+
+	memcpy(passwd, input, len);
+	memset(passwd + len, 0, sizeof(passwd) - len);
+
 	if (len == 0) {
 		len = AUTH_PASS_LEN;
 	}
-	else if (len > MAX_PASS_LEN) len = MAX_PASS_LEN;
 
 	else if ((len & 0x0f) != 0) {
 		len += 0x0f;
@@ -449,9 +454,6 @@ static void make_passwd(uint8_t *output, int *outlen,
 	}
 	*outlen = len;
 
-	memcpy(passwd, input, len);
-	memset(passwd + len, 0, sizeof(passwd) - len);
-
 	fr_MD5Init(&context);
 	fr_MD5Update(&context, (const uint8_t *) secret, strlen(secret));
 	old = context;
-- 
1.5.6.5

Reply via email to