buffer overflow on mschap reject

Matt Richards matt at mattstone.net
Tue Jun 12 15:56:22 CEST 2012


Hello,

I have got radius setup to authenticate wireless clients using MS-CHAP
and everything works correctly if the entered user / pass is correct.

If the password is wrong, however, I get a buffer overflow error and
radiusd dies.

I get the follow on the console when this happens ...

> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: rer
> [mschap] Told to do MS-CHAPv2 for rer with NT-Password
> [mschap]        expand: --username=%{mschap:User-Name:-None} -> --username=rer
> [mschap] No NT-Domain was found in the User-Name.
> [mschap]        expand: %{mschap:NT-Domain} -> 
> [mschap]        ... expanding second conditional
> [mschap]        expand: --domain=%{%{mschap:NT-Domain}:-WC1} -> --domain=WC1
> [mschap]  mschap2: 5f
> [mschap] Creating challenge hash with username: rer
> [mschap]        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a20a6c5d363dd4b6
> [mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=5182a275d21751ab7007e8de241d8d516215a95d3384ccf9
> Exec-Program output: Logon failure (0xc000006d) 
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> *** buffer overflow detected ***: radiusd terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x37)[0x7fea6d97c427]
> /lib/libc.so.6(+0xe8150)[0x7fea6d97a150]
> /lib/libc.so.6(+0xe76eb)[0x7fea6d9796eb]
> /lib/libc.so.6(__snprintf_chk+0x7b)[0x7fea6d9795bb]
> /usr/lib64/freeradius/rlm_mschap-2.1.11.so(+0x31bb)[0x7fea6c24a1bb]
> radiusd(modcall+0xb4b)[0x41c4bb]
> radiusd(indexed_modcall+0xd3)[0x418b53]
> /usr/lib64/freeradius/rlm_eap_mschapv2-2.1.11.so(+0x166a)[0x7fea696d366a]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739]
> radiusd(modcall+0xb4b)[0x41c4bb]
> radiusd(indexed_modcall+0xd3)[0x418b53]
> radiusd(rad_authenticate+0x985)[0x40a075]
> /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(eappeap_process+0x976)[0x7fea698d8f26]
> /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(+0x1825)[0x7fea698d7825]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739]
> radiusd(modcall+0xb4b)[0x41c4bb]
> radiusd(indexed_modcall+0xd3)[0x418b53]
> radiusd(rad_authenticate+0x985)[0x40a075]
> radiusd(radius_handle_request+0x52)[0x424d42]
> radiusd(thread_pool_addrequest+0x9)[0x425039]
> radiusd[0x4269e6]
> /usr/lib/libfreeradius-radius-2.1.11.so(fr_event_loop+0x33b)[0x7fea6e04860b]
> radiusd(main+0x55a)[0x41cd2a]
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7fea6d8b0ba6]
> radiusd[0x408fe9]


The version of freeradius i'm running is ...

FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11
2012 at 11:10:29

I can replicate this issue with radtest.

Does anybody know why this might be happening? If you require any
additional info please let me know. One thing I was thinking about
trying it going back a few versions of ntlm_auth and tring again. Its
interesting how I don't seem to be able to find any information relating
to this on the Internet.

Thanks,

Matt.





More information about the Freeradius-Users mailing list