>Synopsis: possible segmentation violation in login radius >Category: system >Environment: System : OpenBSD 7.2 Details : OpenBSD 7.2 (GENERIC.MP) #2: Thu Nov 24 23:53:03 MST 2022 r...@syspatch-72-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64 Machine : arm64 >Description: While bored and reading through tech@ someone was using radius server. So I wanted to see if they are using login_radius(8), and that answer was no. But while there I got stuck reading the code :}. I saw a segmentation violation in the MD5 code, in raddauth.c line 473: 473 MD5Update(&context, (u_char *)&auth, ntohs(auth.length)); This length comes from the network payload and if over a specific value, it will read beyond auth. 125 typedef struct { 126 u_char code; 127 u_char id; 128 u_short length; 129 u_char vector[AUTH_VECTOR_LEN]; 130 u_char data[4096 - AUTH_HDR_LEN]; 131 } auth_hdr_t; that is the size of auth. >How-To-Repeat: This may be used as a dos in a flood when someone is logging in? I made a test program that shows the segmentation fault: #define LENGTH 4096 int main(void) { char auth[LENGTH]; MD5_CTX context; uint8_t test_vector[MD5_DIGEST_LENGTH]; MD5Init(&context); MD5Update(&context, (u_char *)&auth, LENGTH * 2); MD5Final(test_vector, &context); exit(0); } pjp@polarstern$ ./testprog Segmentation fault (core dumped) >Fix: It is pretty insane here not to use IPSEC, but this is just a workaround. The right thing to do would be to get the value of length from recvfrom() and use that. dmesg: see earlier posts last month.