make_passwd(), rlm_perl and double quotes in the password

Niko Tyni ntyni at
Wed May 20 12:14:05 CEST 2009


we're seeing failed logins when proxying authentication requests through
to another RADIUS server if the password contains a double quote (").

I've debugged the issue a bit, and what happens is that when the password
does a roundtrip through the rlm_perl module, the value pair structure
ends up with extra bytes at the end so that 
strlen(vp->data.strvalue) > vp->length.

These extra bytes are the result of escaping the double quote before
entering the Perl code and then unescaping it afterwards. For instance,
the password abcdef" is passed as abcdef\" to the Perl code, and
afterwards it becomes abcdef"" with length 7 (so the extra byte is
not supposed to hurt AIUI.)

Unfortunately make_passwd() rounds 'inlen' up to a multiple of 16 before
copying the input string, so the extra bytes end up in the message
authenticator of the proxied request.

It seems to me that the escaping and unescaping done in rlm_perl via
 perl_store_vps() -> vp_prints_value() -> librad_safeprint() 
 get_hv_content() -> pairadd_sv() -> pairmake() -> pairparsevalue()
is a bit unnecessary, and that the unescaping could zero out the
extra bytes, but the main bug is in make_passwd() IMO.

I have reproduced this with a Debian 2.0.4 freeradius package,
a Fedora 2.1.3 package, and a current checkout
(commit ef2a7db5e).

I'm attaching a proposed patch to make_passwd(). Please let me know if
you need more information, I can easily produce stack traces and the like.

Thanks for your work on FreeRADIUS,
Niko Tyni   ntyni at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-make_passwd-only-use-inlen-bytes-of-the-input-str.patch
Type: text/x-diff
Size: 1513 bytes
Desc: not available
URL: <>

More information about the Freeradius-Devel mailing list