make_passwd(), rlm_perl and double quotes in the password
ntyni at cc.helsinki.fi
Wed May 20 12:14:05 CEST 2009
we're seeing failed logins when proxying authentication requests through
to another RADIUS server if the password contains a double quote (").
I've debugged the issue a bit, and what happens is that when the password
does a roundtrip through the rlm_perl module, the value pair structure
ends up with extra bytes at the end so that
strlen(vp->data.strvalue) > vp->length.
These extra bytes are the result of escaping the double quote before
entering the Perl code and then unescaping it afterwards. For instance,
the password abcdef" is passed as abcdef\" to the Perl code, and
afterwards it becomes abcdef"" with length 7 (so the extra byte is
not supposed to hurt AIUI.)
Unfortunately make_passwd() rounds 'inlen' up to a multiple of 16 before
copying the input string, so the extra bytes end up in the message
authenticator of the proxied request.
It seems to me that the escaping and unescaping done in rlm_perl via
perl_store_vps() -> vp_prints_value() -> librad_safeprint()
get_hv_content() -> pairadd_sv() -> pairmake() -> pairparsevalue()
is a bit unnecessary, and that the unescaping could zero out the
extra bytes, but the main bug is in make_passwd() IMO.
I have reproduced this with a Debian 2.0.4 freeradius package,
a Fedora 2.1.3 package, and a current git.freeradius.org checkout
I'm attaching a proposed patch to make_passwd(). Please let me know if
you need more information, I can easily produce stack traces and the like.
Thanks for your work on FreeRADIUS,
Niko Tyni ntyni at cc.helsinki.fi
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1513 bytes
Desc: not available
More information about the Freeradius-Devel