Hello, I have got radius setup to authenticate wireless clients using MS-CHAP and everything works correctly if the entered user / pass is correct. If the password is wrong, however, I get a buffer overflow error and radiusd dies. I get the follow on the console when this happens ...
+- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: rer [mschap] Told to do MS-CHAPv2 for rer with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=rer [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-WC1} -> --domain=WC1 [mschap] mschap2: 5f [mschap] Creating challenge hash with username: rer [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a20a6c5d363dd4b6 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=5182a275d21751ab7007e8de241d8d516215a95d3384ccf9 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect *** buffer overflow detected ***: radiusd terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x37)[0x7fea6d97c427] /lib/libc.so.6(+0xe8150)[0x7fea6d97a150] /lib/libc.so.6(+0xe76eb)[0x7fea6d9796eb] /lib/libc.so.6(__snprintf_chk+0x7b)[0x7fea6d9795bb] /usr/lib64/freeradius/rlm_mschap-2.1.11.so(+0x31bb)[0x7fea6c24a1bb] radiusd(modcall+0xb4b)[0x41c4bb] radiusd(indexed_modcall+0xd3)[0x418b53] /usr/lib64/freeradius/rlm_eap_mschapv2-2.1.11.so(+0x166a)[0x7fea696d366a] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76] /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739] radiusd(modcall+0xb4b)[0x41c4bb] radiusd(indexed_modcall+0xd3)[0x418b53] radiusd(rad_authenticate+0x985)[0x40a075] /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(eappeap_process+0x976)[0x7fea698d8f26] /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(+0x1825)[0x7fea698d7825] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76] /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926] /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739] radiusd(modcall+0xb4b)[0x41c4bb] radiusd(indexed_modcall+0xd3)[0x418b53] radiusd(rad_authenticate+0x985)[0x40a075] radiusd(radius_handle_request+0x52)[0x424d42] radiusd(thread_pool_addrequest+0x9)[0x425039] radiusd[0x4269e6] /usr/lib/libfreeradius-radius-2.1.11.so(fr_event_loop+0x33b)[0x7fea6e04860b] radiusd(main+0x55a)[0x41cd2a] /lib/libc.so.6(__libc_start_main+0xe6)[0x7fea6d8b0ba6] radiusd[0x408fe9]
The version of freeradius i'm running is ... FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11 2012 at 11:10:29 I can replicate this issue with radtest. Does anybody know why this might be happening? If you require any additional info please let me know. One thing I was thinking about trying it going back a few versions of ntlm_auth and tring again. Its interesting how I don't seem to be able to find any information relating to this on the Internet. Thanks, Matt.
Matt Richards wrote:
Hello,
I have got radius setup to authenticate wireless clients using MS-CHAP and everything works correctly if the entered user / pass is correct.
If the password is wrong, however, I get a buffer overflow error and radiusd dies.
You probably set the "retry_msg" to a very long string.
*** buffer overflow detected ***: radiusd terminated ======= Backtrace: =========
Reading doc/bugs would help here.
I can replicate this issue with radtest.
Do you have a minimal config which could help?
Does anybody know why this might be happening? If you require any additional info please let me know. One thing I was thinking about trying it going back a few versions of ntlm_auth and tring again. Its interesting how I don't seem to be able to find any information relating to this on the Internet.
The error path here is very small. i.e. ~15 lines of code. Running the server under "valgrind" would help, too. But first build it with debugging symbols. Alan DeKok.
On 06/12/12 15:20, Alan DeKok wrote:
Matt Richards wrote:
Hello,
I have got radius setup to authenticate wireless clients using MS-CHAP and everything works correctly if the entered user / pass is correct.
If the password is wrong, however, I get a buffer overflow error and radiusd dies.
You probably set the "retry_msg" to a very long string.
I did have a retry_msg which was left as the default value of retry_msg = "Re-enter (or reset) the password" After I commented out this line the problem went away. Thanks for your help. I'm guessing this shouldn't crash with the example config? maybe the mschap stuff bloats the reply too much?
*** buffer overflow detected ***: radiusd terminated ======= Backtrace: =========
Reading doc/bugs would help here.
I can replicate this issue with radtest.
Do you have a minimal config which could help?
Does anybody know why this might be happening? If you require any additional info please let me know. One thing I was thinking about trying it going back a few versions of ntlm_auth and tring again. Its interesting how I don't seem to be able to find any information relating to this on the Internet.
The error path here is very small. i.e. ~15 lines of code.
Running the server under "valgrind" would help, too. But first build it with debugging symbols.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I did have a retry_msg which was left as the default value of
retry_msg = "Re-enter (or reset) the password"
After I commented out this line the problem went away.
Thanks for your help. I'm guessing this shouldn't crash with the example config? maybe the mschap stuff bloats the reply too much?
doesnt crash here - what code release are you using? alan
On 06/13/12 13:04, alan buxey wrote:
Hi,
I did have a retry_msg which was left as the default value of
retry_msg = "Re-enter (or reset) the password"
After I commented out this line the problem went away.
Thanks for your help. I'm guessing this shouldn't crash with the example config? maybe the mschap stuff bloats the reply too much?
doesnt crash here - what code release are you using?
# ntlm_auth -V Version 3.5.15 # radiusd -X | head -1 FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11 2012 at 11:10:29
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
alan buxey -
Alan DeKok -
Matt Richards