segfault in master 3.0.x checking for empty realm

Fri Mar 4 21:59:31 CET 2016

On Sat, Mar 5, 2016 at 8:17 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 4, 2016, at 11:34 AM, Peter Lambrechtsen <peter at crypt.co.nz> wrote:
> >
> > Ran into an interesting issue with my realm code that should have just
> > given me a reject rather than a segfault.
> >
> > In my default site I have added to the end the realm:
> >
> > realm "~.*$" {
> > }
>
>   You don't need that.  The DEFAULT realm already does that.
>

But the default realm doesn't set the Realm VSA to the value passed in the
request after the @ or whatever we are splitting the realm on.

If there is nothing in the realm I get:

(0) Received Access-Request Id 159 from 127.0.0.1:47635 to 127.0.0.1:1812
length 264
(0)   User-Password = "1234"
(0)   User-Name = "user at testing"
(0) # Executing section authorize from file ./sites-enabled/default
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "testing" for User-Name = "user at testing"
(0) suffix: No such realm "testing"
(0)     [suffix] = noop

Or if I have the realm "DEFAULT"

realm DEFAULT {
}

Then I get.

(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "testing" for User-Name = "user at testing"
(0) suffix: Found realm "DEFAULT"
(0) suffix: Adding Stripped-User-Name = "user"
(0) suffix: Adding Realm = "DEFAULT"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
...
(0) perl:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'DEFAULT'

Whereas when I have realm "~.*$"

realm "~.*$" {
}

I get the realm passed in the request into the Realm VSA.

(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "testing" for User-Name = "user at testing"
(0) suffix: Found realm "~.*$"
(0) suffix: Adding Stripped-User-Name = "user"
(0) suffix: Adding Realm = "testing"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
...
(0) perl:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'testing'

So then I can do some logic based on the realm passed and lookup which
realm I want to use.

As the proxy.conf has realm value such as "CryptServer1" as the realm name,
and I do a lookup based on the realm passed in the request "crypt.co.nz"
and do an update control Proxy-To-Realm CryptServer1.

So I use the suffix module to do the split of the User-Name rather than
complex regex. And make decisions on which realm to Proxy to (or not Proxy)
based on data in the database. I get a Proxy-To-Realm in the response from
suffix then someone is doing something very untoward using a suffix on the
request that actually does match to a realm in the proxy file. Which should
never happen as the realms in the proxy.conf are something like
"ServerName1-bignumber" so if a user uses "user at ServerName1-bignumber" then
they are trying to hack knowing some internal only information or do
something untoward so I just reject those requests.

> So that suffix matches every realm as I don't have control over the realm
> > names and need to perform lookups in the database on the realm.
> >
> > But if I then try and run suffix with an empty realm and do if check to
> see
> > if it's not a particular realm I get a segfault.
>
>   I've pushed a fix.
>

Brilliant, I'll have a go with it later on this afternoon.