3.0.4: binary LDAP attributes
Phil Mayers
p.mayers at imperial.ac.uk
Thu Mar 23 12:05:25 CET 2017
On 23/03/17 09:23, Nikolai Kondrashov wrote:
> On 12/09/2014 01:51 PM, Nikolai Kondrashov wrote:
>> Our (Red Hat) QA was testing the effect of this entry in 3.0.4 ChangeLog:
>>
>> * Modify pairparsevalue to deal with embedded NULLs better,
>> and use the binary versions of attribute values in rlm_ldap.
>>
>> They have noticed that binary LDAP values get truncated on embedded zero
>> characters (\0) in RADIUS replies, in radiusReplyMessage in particular.
>> I.e. for
>>
>> radiusReplyMessage:: cmVwbHkgd2l0aCBhAGI=
>>
>> The response output by radtest was
>>
>> Reply-Message = 'reply with a'
>>
>> The network capture also showed that RADIUS reply packets contained
>> truncated
>> values.
>
> We still see the above behavior in v3.0.13.
This looks relevant:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_ldap/attrmap.c#L116
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/lib/pair.c#L1190
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/lib/value.c#L420
These appear to all be 8-bit clean, using talloc_bstrndup and the quote
handling seems OK. At a glance it looks fine to me, I wonder if the
problem is deeper in the server core.
What happens if you butcher the dictionaries and change Reply-Message to
be "octets", just to test?
More information about the Freeradius-Users
mailing list