Date: Fri, 14 Feb 2014 14:52:32 -0500 From: Alan DeKok <aland@freeradius.org> To: Pierre Carrier <pierre.carrier@airbnb.com> Cc: secalert <secalert@redhat.com>, pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com, security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org, bugbusters <bugbusters@freebsd.org>, product.security@airbnb.com Subject: Re: freeradius denial of service in authentication flow Message-ID: <52FE7400.4000808@freeradius.org> In-Reply-To: <CAM7LUF5e07PTwWAdcGEJNdZ24Nk0ssugCeoc=u_uMy8i-7xvOQ@mail.gmail.com> References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com> <52FC1916.4060501@freeradius.org> <CAM7LUF5e07PTwWAdcGEJNdZ24Nk0ssugCeoc=u_uMy8i-7xvOQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pierre Carrier wrote: > rlm_pap.c, mod_authorize, case PW_SSHA_PASSWORD calls normify(request, > vp, 20), which for base64-encoded values will invoke > base64_decode(vp->strvalue, buffer). > Nothing stops this base64_decode invokation from going over the buffer > boundary, a uint8_t[64] on the stack. OK. We've pushed changes to the v2.x.x, v3.0.x, and master branches. See commit 0d606cfc29a in the v2.x.x branch, and ff5147c9e5088c7 in v3.0.x. The "master" branch doesn't have an official release, so downstream users don't need to do anything for it. > Indeed, it is not a remote DoS, and I agree the practical implications > aren't too scary. Yes. > But, as a hypothetical, convoluted illustration: > A disgruntled employee could prevent all access to a company's > internal network without out-of-band intervention, including from > remote locations if the Radius infrastructure is centralized. > Such internal network access could be needed to revoke their credentials. And would be discovered pretty quickly. Alan DeKok. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBUv50AKkul4vkAkl9AQLP4QQAl+cnsN0DP1vZM2NHBGE9rl95m2RPBHJJ GxZQLePweYkFCP1urAqoGkyiKs6AclGysGyxzJFj1EVw9mBBKkR+CxsKs3Wyqyku w7zG57khJjf7HZdsn7ztnzJmx4SEygcfD1dEr+yjY/+ePt5fxOPUv2EHz7ouTRVM 2Y3PtVajBkc= =egp6 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52FE7400.4000808>