Thank you for your reply. Alan DeKok <aland@deployingradius.com> wrote:
blue_11j@yahoo.co.jp wrote:
but it look like that: When radiusd received EAP-Identify request, eaplist_add(inst, handler) called in eap_authenticate() in rlm_eap.c, and the handler is allocated by eap_handler_alloc() in eap_handler() in eap.c.
Hmm... OK. So long as one non-identity packet comes through, this shouldn't be a problem.
Yes, It is the problem that received malicious "EAP Identity DoS attack".
But OK, I'll look into fixing that in the next release.
if possible, we want to fix that in FR 1.1.7. Which way better do you think ? - in eaplist_add(), expire the eap_handler same as eaplist_find(). or.. - if it continue to receive EAP Identity over limit number, no more add to list and ignore. (if it receive non-identity packet, reset counter). or other way ... -------------------------------------- GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points! http://pr.mail.yahoo.co.jp/ganbare-nippon/