segfault in master 3.0.x checking for empty realm
Peter Lambrechtsen
peter at crypt.co.nz
Fri Mar 4 21:59:31 CET 2016
On Sat, Mar 5, 2016 at 8:17 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Mar 4, 2016, at 11:34 AM, Peter Lambrechtsen <peter at crypt.co.nz> wrote:
> >
> > Ran into an interesting issue with my realm code that should have just
> > given me a reject rather than a segfault.
> >
> > In my default site I have added to the end the realm:
> >
> > realm "~.*$" {
> > }
>
> You don't need that. The DEFAULT realm already does that.
>
But the default realm doesn't set the Realm VSA to the value passed in the
request after the @ or whatever we are splitting the realm on.
If there is nothing in the realm I get:
(0) Received Access-Request Id 159 from 127.0.0.1:47635 to 127.0.0.1:1812
length 264
(0) User-Password = "1234"
(0) User-Name = "user at testing"
(0) # Executing section authorize from file ./sites-enabled/default
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "testing" for User-Name = "user at testing"
(0) suffix: No such realm "testing"
(0) [suffix] = noop
Or if I have the realm "DEFAULT"
realm DEFAULT {
}
Then I get.
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "testing" for User-Name = "user at testing"
(0) suffix: Found realm "DEFAULT"
(0) suffix: Adding Stripped-User-Name = "user"
(0) suffix: Adding Realm = "DEFAULT"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
...
(0) perl: $RAD_REQUEST{'Realm'} = &request:Realm -> 'DEFAULT'
Whereas when I have realm "~.*$"
realm "~.*$" {
}
I get the realm passed in the request into the Realm VSA.
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "testing" for User-Name = "user at testing"
(0) suffix: Found realm "~.*$"
(0) suffix: Adding Stripped-User-Name = "user"
(0) suffix: Adding Realm = "testing"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
...
(0) perl: $RAD_REQUEST{'Realm'} = &request:Realm -> 'testing'
So then I can do some logic based on the realm passed and lookup which
realm I want to use.
As the proxy.conf has realm value such as "CryptServer1" as the realm name,
and I do a lookup based on the realm passed in the request "crypt.co.nz"
and do an update control Proxy-To-Realm CryptServer1.
So I use the suffix module to do the split of the User-Name rather than
complex regex. And make decisions on which realm to Proxy to (or not Proxy)
based on data in the database. I get a Proxy-To-Realm in the response from
suffix then someone is doing something very untoward using a suffix on the
request that actually does match to a realm in the proxy file. Which should
never happen as the realms in the proxy.conf are something like
"ServerName1-bignumber" so if a user uses "user at ServerName1-bignumber" then
they are trying to hack knowing some internal only information or do
something untoward so I just reject those requests.
> So that suffix matches every realm as I don't have control over the realm
> > names and need to perform lookups in the database on the realm.
> >
> > But if I then try and run suffix with an empty realm and do if check to
> see
> > if it's not a particular realm I get a segfault.
>
> I've pushed a fix.
>
Brilliant, I'll have a go with it later on this afternoon.
More information about the Freeradius-Users
mailing list