Nulls embedded in Cisco-AVPairs

Arran Cudbard-Bell a.cudbardb at
Sat Jun 10 23:28:46 CEST 2017

> This truncation seems to be because some regular expression libraries do not safely process nulls. These are messages I received when changing the quote variable to ‘“' for debugging purposes:
> ERROR : (57)      regex failed: Found null in subject at offset 9.  String unsafe for evaluation
> ERROR : (57)      Condition evaluation failed because the value of an operand could not be determined

It works :D

> I’ve tried many different string representations in the code snippet above and nothing  changes this behavior. But I also can’t find a way to  transform Foreach-Variable-0 such that it can be given to another module for processing … always the fr_pair_value_snprint() call with a zero quote value in is used, which truncates the string. This is the call in in xlat_foreach().
> There is a FreeRADIUS compile option to use regex code where nulls are safe within the value (i.e., regnexec), which would seem to avoid the message above. But that does not seem sufficient as the current code in xlat_foreach() would still provide a truncated string to the regex library.

If you compile with libpcre the error message will go away too.

> Suggestions for a workaround?

Unfortunately the xlat processing code is one of the few places which is still not binary safe.  It's very close to the top of the todo list for v4.0.x

You could pass the request into rlm_perl or rlm_python and do Cisco-AVPair parsing there until the xlat code is fixed.

> I’m using FreeRADIUS 3.1.0.

Hm, that development branch is dead at this point.  If you need something bleeding edge you should switch to v4.0.x, but that's not at all in a stable state currently either.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list