OpenDirectory Authentication memory corruption
Alan DeKok
aland at deployingradius.com
Wed Jun 10 03:35:32 CEST 2020
On Jun 9, 2020, at 4:25 AM, Carsten Kirschner via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I tried various ways to get linenumbers compiled into, but failed. The complier switch -g3 is set, by your default, but the binaries do not contain full debug info and I couldn't see any symbol files. If someone has a way to create propper files I will try that.
Weird. Oh well.
> What i tried, and can say for sure is, that the crash can be mitigated, if talloc_zero_array is used instead of talloc_array in src/modules/rlm_mschap/opendir.c in the lines around 140.
> I refer to this codesegment, both occurences of talloc_array: https://github.com/FreeRADIUS/freeradius-server/commit/dee78b44119168e0cc5714602f8f7449a2e661aa (the zero setting of the last byte is then unnedded)
> I think this is not the fix for the problem, but prevents the crash. Maybe because there is no longer uninitialized memory which is accessed because of a null check somewhere other.
I'll push that fix, but it doesn't make sense to me. Sure, the use of talloc_zero_array() ensures that the entire memory is set to zero. But the next line is a memcpy(), which also initializes the entire array.
> With the talloc_zero_array function I can reliable authenticate users from the local userdatabase. But users from the Opendirectory fail with mschap: ERROR: rlm_mschap: authentication failed - status = eDSAuthMethodNotSupported
I guess MS-CHAP is no longer supported. Maybe Apple would be gracious enough to send a patch. :(
Alan DeKok.
More information about the Freeradius-Users
mailing list