On Thu, Mar 02, 2023 at 09:31:57AM -0700, Theo de Raadt wrote:
> Using a global variable like that is poor style.
OK, I'm gonna give it one more attempt:
In RFC 2865 there is no auth code for discarding a message but there is a
255 reserved value which we may be able to use as a hack. Refer to page
14 of RFC 2865.
The updated patch then returns from rad_recv() with that 255 and is caught
in the switch/case, and executes with a following goto retry.
Again I don't have a test network for this.
Best Regards,
-peter
Index: raddauth.c
===================================================================
RCS file: /cvs/src/libexec/login_radius/raddauth.c,v
retrieving revision 1.30
diff -u -p -u -r1.30 raddauth.c
--- raddauth.c 28 Jun 2019 13:32:53 -0000 1.30
+++ raddauth.c 2 Mar 2023 16:46:37 -0000
@@ -105,6 +105,7 @@
#define PW_CLIENT_PORT_ID 5
#define PW_PORT_MESSAGE 18
#define PW_STATE 24
+#define PW_SILENT_DISCARD 255 /* Reserved in RFC 2865 */
#ifndef RADIUS_DIR
#define RADIUS_DIR "/etc/raddb"
@@ -324,6 +325,10 @@ retry:
passwd = "";
break;
+ case PW_SILENT_DISCARD:
+ goto retry;
+ break;
+
default:
if (timedout)
goto retry;
@@ -451,17 +456,22 @@ rad_recv(char *state, char *challenge, u
struct sockaddr_in sin;
u_char recv_vector[AUTH_VECTOR_LEN], test_vector[AUTH_VECTOR_LEN];
MD5_CTX context;
+ ssize_t total_length;
salen = sizeof(sin);
alarm(timeout);
- if ((recvfrom(sockfd, &auth, sizeof(auth), 0,
- (struct sockaddr *)&sin, &salen)) < AUTH_HDR_LEN) {
+ total_length = recvfrom(sockfd, &auth, sizeof(auth), 0,
+ (struct sockaddr *)&sin, &salen);
+ alarm(0);
+ if (total_length < AUTH_HDR_LEN) {
if (timedout)
return(-1);
errx(1, "bogus auth packet from server");
}
- alarm(0);
+ if (ntohs(auth.length) > total_length) {
+ return (PW_SILENT_DISCARD);
+ }
if (sin.sin_addr.s_addr != auth_server)
errx(1, "bogus authentication server");
