Dear Alan DeKok,
--Thursday, November 20, 2003, 11:51:13 PM, you wrote to [EMAIL PROTECTED]: AD> As it turns out, however, the problem isn't as bad as it could have AD> been. The bug he reported can cause the server to crash, but is AD> difficult to exploit. Any attack code MUST be in the form of a valid AD> RADIUS packet, which significantly limits the possible exploits. AD> However, there was another bug which the reporter did NOT discover, AD> which causes the server to de-reference a NULL pointer, and thus AD> crash, whenever an Access-Request packet containing a Tunnel-Password AD> attribute is received. Both bugs are not exploitable to code execution (first one because target buffer is on heap, not on stack and it's impossible to overwrite local variable inside memcpy, like in case of apache-nosejob exploit, so memcpy will always segfault and never return). It's fully identical to bug (2) described in http://www.security.nnov.ru/search/document.asp?docid=2578 Either I missed this bug during audit 1,5 years ago or it was introduced later. On the moment of audit tunneling support code presented in the sources in non-working state. -- ~/ZARAZA Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html