radius_compare_vps & regexps w/ multiple match

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 3 18:01:51 CEST 2012


All,

This appears to be unintentional, but you can't do this - with a packet:

User-Name = foo
Attrib = val1=x
Attrib = val2=y

...and a "users" file entry of:

DEFAULT	Attrib =~ "^val1=(.+)"
	# do something

DEFAULT	Attrib =~ "^val2=(.+)"
	# do something else

The reason seems to be that valuepair.c:radius_compare_vps doesn't use 
the passed-in value of "vp" if you're doing a regexp check. Instead, it 
calls:

  sprintf(buf, "%%{%s}", check->name)
  radius_xlat(value, REQUEST, buf, ...)
  regexec(..., value)

i.e. it "xlat"s "%{checkname}" then performs the regexp against that.

This is wrong AFAICT - by using "xlat", it throws away "vp" completely, 
which breaks the cases where you have >1 value of the same name in the 
packet.

However: is this intentional? Does it do something I'm missing?

I think maybe replacing that "radius_xlat" call with a "vp_prints_value" 
call on the "vp" argument is the right thing to do?


More information about the Freeradius-Devel mailing list