Hello, I have got radius setup to authenticate wireless clients using MS-CHAP and everything works correctly if the entered user / pass is correct. If the password is wrong, however, I get a buffer overflow error and radiusd dies. I get the follow on the console when this happens ...
+- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: rer [mschap] Told to do MS-CHAPv2 for rer with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=rer [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-WC1} -> --domain=WC1 [mschap] mschap2: 5f [mschap] Creating challenge hash with username: rer [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a20a6c5d363dd4b6 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=5182a275d21751ab7007e8de241d8d516215a95d3384ccf9 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect *** buffer overflow detected ***: radiusd terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x37)[0x7fea6d97c427] /lib/libc.so.6(+0xe8150)[0x7fea6d97a150] /lib/libc.so.6(+0xe76eb)[0x7fea6d9796eb] /lib/libc.so.6(__snprintf_chk+0x7b)[0x7fea6d9795bb] /usr/lib64/freeradius/rlm_mschap-2.1.11.so(+0x31bb)[0x7fea6c24a1bb] radiusd(modcall+0xb4b)[0x41c4bb] radiusd(indexed_modcall+0xd3)[0x418b53] /usr/lib64/freeradius/rlm_eap_mschapv2-2.1.11.so(+0x166a)[0x7fea696d366a] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76] /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739] radiusd(modcall+0xb4b)[0x41c4bb] radiusd(indexed_modcall+0xd3)[0x418b53] radiusd(rad_authenticate+0x985)[0x40a075] /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(eappeap_process+0x976)[0x7fea698d8f26] /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(+0x1825)[0x7fea698d7825] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76] /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739] radiusd(modcall+0xb4b)[0x41c4bb] radiusd(indexed_modcall+0xd3)[0x418b53] radiusd(rad_authenticate+0x985)[0x40a075] radiusd(radius_handle_request+0x52)[0x424d42] radiusd(thread_pool_addrequest+0x9)[0x425039] radiusd[0x4269e6] /usr/lib/libfreeradius-radius-2.1.11.so(fr_event_loop+0x33b)[0x7fea6e04860b] radiusd(main+0x55a)[0x41cd2a] /lib/libc.so.6(__libc_start_main+0xe6)[0x7fea6d8b0ba6] radiusd[0x408fe9]
The version of freeradius i'm running is ... FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11 2012 at 11:10:29 I can replicate this issue with radtest. Does anybody know why this might be happening? If you require any additional info please let me know. One thing I was thinking about trying it going back a few versions of ntlm_auth and tring again. Its interesting how I don't seem to be able to find any information relating to this on the Internet. Thanks, Matt.