OpenDirectory Authentication memory corruption

Alan DeKok aland at
Wed Jun 10 03:35:32 CEST 2020

On Jun 9, 2020, at 4:25 AM, Carsten Kirschner via Freeradius-Users <freeradius-users at> wrote:
> I tried various ways to get linenumbers compiled into, but failed. The complier switch -g3 is set, by your default, but the binaries do not contain full debug info and I couldn't see any symbol files. If someone has a way to create propper files I will try that.

  Weird.  Oh well.

> What i tried, and can say for sure is, that the crash can be mitigated, if talloc_zero_array is used instead of talloc_array in src/modules/rlm_mschap/opendir.c in the lines around 140.
> I refer to this codesegment, both occurences of talloc_array: (the zero setting of the last byte is then unnedded)
> I think this is not the fix for the problem, but prevents the crash. Maybe because there is no longer uninitialized memory which is accessed because of a null check somewhere other.

  I'll push that fix, but it doesn't make sense to me.  Sure, the use of talloc_zero_array() ensures that the entire memory is set to zero.  But the next line is a memcpy(), which also initializes the entire array.

> With the talloc_zero_array function I can reliable authenticate users from the local userdatabase. But users from the Opendirectory fail with mschap: ERROR: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported

  I guess MS-CHAP is no longer supported.  Maybe Apple would be gracious enough to send a patch.  :(

  Alan DeKok.

More information about the Freeradius-Users mailing list