\000 in "octets" attribute?

Stefan Winter stefan.winter at restena.lu
Thu Jun 15 11:47:44 CEST 2006 

> RFC 2865 says
>
>      "Note that none of the types in RADIUS terminate with a NUL (hex
>       00).  In particular, types "text" and "string" in RADIUS do not
>       terminate with a NUL (hex 00).  The Attribute has a length field
>       and does not use a terminator.  Text contains UTF-8 encoded 10646
>       [7] characters and String contains 8-bit binary data.  Servers and
>       servers and clients MUST be able to deal with embedded nulls.
>       RADIUS implementers using C are cautioned not to use strcpy() when
>       handling strings."
>
> There is nothing here that forbids an attribute containing nothing but
> a NUL, or ending in NUL.  The point is that the NUL in that case must
> be a *significant part* of the attribute value.  RADIUS clients and
> servers MUST *handle* the NULs, not silently ignore them like string
> terminators.

Reading is a tough task, obviously. They are required NOT to end with a NUL. 
So,

> That is: "blah\000" and "blah" have different value and length, but
> they are both allowed as attribute values.

blah\000 is an attribute that has a hex 00 as last character, while the RFC 
says "In particular, types "text" and "string" in RADIUS do not       
terminate with a NUL (hex 00)."

So, it is NOT allowed as an attribute value. Maybe you are confused about 
_embedded_ NULs. blah\000foo is perfectly fine with the RFC, since the NUL is 
between other parts, thus _embedded_. blah\000 however isn't.

Though I have to admit that FreeRADIUS is in a way not RFC-compliant because 
it will not handle embedded \000s correctly.

> In particular, integer attributes will often have 0 as value (just
> grep the dictionary VALUEs), which of course ends in 0.

The OP talked about "octets", which is a string. If he would be talking about 
"integer", a 0 as value would be perfectly fine. Which I told him in my 
previous reply.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060615/1e68957a/attachment.pgp>

More information about the Freeradius-Users mailing list