Re: Serious bug in "radius" dialup authentication software

Dale E. Reed Jr. (daler@IEA-SOFTWARE.COM)
Mon, 23 Feb 1998 11:01:11 -0800

I would like to address the issue of RadiusNT and the below.

The issue with RadiusNT and long usernames has nothing to do with
the below code. The issue ONLY surfaces when you have concurrency
control enabled, and have a username higher than 60 or so characters.
If you turn concurrency control off, RadiusNT will NOT crash
and allows usernames up to 253 characters.

RadiusNT also correctly supports string attributes up to 253
characters long, as per the RFC.

> > > This is another known bug, which I call the 'magic 128.' Most, if not
> all,
> > > versions of radius, be it Livingston, Merit, RadiusNT, whatever, will
> choke
> > > HORRIBLY if any entered field is over 128 characters. I don't know if
> > > there's a workaround, but I haven't actually looked. I honestly don't
> think
> > > anybody's going to bother with that one too much.
> >
> > Look at radius.h in the original Livingston code. You'll see:
> >
> > #define AUTH_STRING_LEN 128 /* maximum of 254 */
> >
> > Duh! They they almost got the comment right. AUTH_STRING_LEN is used to
> > size strvalue in struct value_pair. It's used like this in radiusd.c:
> >
> > case PW_TYPE_STRING:
> > memcpy(pair->strvalue, ptr, attrlen);
> >
> > attrlen is calculated as:
> >
> > u_char *ptr;
> > ...
> > attrlen = *ptr++;
> > if(attrlen < 2) {
> > length = 0;
> > continue;
> > }
> > attrlen -= 2;
> >
> > Ok, so with this code the max is actually 253. Ok, copy 253 bytes
> > inte a 128 byte array and see what happens. I fixed this for the
> > Ascend version, perhaps as early as late '94.
> >
> > // marc

--
Dale E. Reed Jr.  (daler@iea-software.com)
_________________________________________________________________
       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs
 Internet Solutions for Today  |   http://www.iea-software.com