vmps request: long attribute VQP-Ethernet-Frame again
Hermann.Lauer at iwr.uni-heidelberg.de
Mon Jan 4 15:07:14 CET 2010
On Thu, Jan 29, 2009 at 05:04:34PM +0100, Hermann Lauer wrote:
> Alan DeKok wrote:
> > > 0x0c05 is VQP-Ethernet-Frame, which can of course be longer than 253 bytes,
> > > so there is a design issue here. One idea would be to cut the attribute to
> > > 253 bytes in vqp_recv(). Could this be done there without memory issues ?
> > Yes, if you're not interested in the rest of the data.
Unfortunately the cutting solution which was included after the discussion above was no
completely correct, because the vqp_recv routine has to skip the complete ethernet packet
in checking as otherwise the rest would be interpeted as garbage, which makes
the server rejecting the packet with a "Packet contains invalid attribute"
message. The appended patch tries to fix this, but now memory errors occurs:
*** glibc detected *** /usr/sbin/freeradius: corrupted double-linked list: 0x00166cd0 ***
Any ideas ?
Netzwerkadministration/Zentrale Dienste, Interdiziplinaeres
Zentrum fuer wissenschaftliches Rechnen der Universitaet Heidelberg
IWR; INF 368; 69120 Heidelberg; Tel: (06221)54-8236 Fax: -5224
Email: Hermann.Lauer at iwr.uni-heidelberg.de
-------------- next part --------------
fix len skipping
diff --git a/src/lib/vqp.c b/src/lib/vqp.c
@@ -374,7 +374,7 @@
- attrlen = ptr;
+ attrlen = (ptr << 8) | ptr;
ptr += 6 + attrlen;
length -= (6 + attrlen);
More information about the Freeradius-Devel