Magnus Hagander wrote:
> If you can test the complete patch in your environment (particularly
> if you already have a "bad packet injector" that you know creates the
> issue on 9.0), that would be great though.
If you use FreeRADIUS, use "radclient" to send the following text:
User-Name = "bob"
Magnus Hagander wrote:
> Actually, nevermind that one. Here's a patch I worked up from your
> description, and that turns out to be fairly similar to yours in what
> it does I think - except I'm not rearranging the code into a separate
> function. We already have a while-loop.
Thanks. The only
Tom Lane wrote:
> Hm ... seems to me that is a network security problem, not our problem.
> Who's to say one of the spoofed packets won't pass verification?
The packets are signed with a shared key. Passing verification means
either the attacker knows the key, or the attacker has broken MD5 in
Magnus Hagander wrote:
> I think he's referring to the ability to flood the postgresql server
> with radius packets with spoofed IP source, correct?
Yes. Or, with any number of other "bad" packets.
> If we then looped
> until we got one that validated as a proper packet, we'd still be able
> t
t" from 'errors' to 'warnings'. Being attacked isn't an error. :)
Alan DeKok.
>From 4d710886f380359b461f6a767fd4b7099f545cce Mon Sep 17 00:00:00 2001
From: Alan T. DeKok
Date: Thu, 30 Sep 2010 18:18:01 +0200
Subject: [PATCH 1/4] Move RADIUS verify checks to a common function
This is in prepara
