>Synopsis: possible segmentation violation in login radius
>Category: system
>Environment:
System : OpenBSD 7.2
Details : OpenBSD 7.2 (GENERIC.MP) #2: Thu Nov 24 23:53:03 MST 2022
[email protected]:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64
Machine : arm64
>Description:
While bored and reading through tech@ someone was using radius server.
So I wanted to see if they are using login_radius(8), and that answer was no.
But while there I got stuck reading the code :}.
I saw a segmentation violation in the MD5 code, in raddauth.c line 473:
473 MD5Update(&context, (u_char *)&auth, ntohs(auth.length));
This length comes from the network payload and if over a specific value, it
will read beyond auth.
125 typedef struct {
126 u_char code;
127 u_char id;
128 u_short length;
129 u_char vector[AUTH_VECTOR_LEN];
130 u_char data[4096 - AUTH_HDR_LEN];
131 } auth_hdr_t;
that is the size of auth.
>How-To-Repeat:
This may be used as a dos in a flood when someone is logging in? I made a
test program that shows the segmentation fault:
#define LENGTH 4096
int
main(void)
{
char auth[LENGTH];
MD5_CTX context;
uint8_t test_vector[MD5_DIGEST_LENGTH];
MD5Init(&context);
MD5Update(&context, (u_char *)&auth, LENGTH * 2);
MD5Final(test_vector, &context);
exit(0);
}
pjp@polarstern$ ./testprog
Segmentation fault (core dumped)
>Fix:
It is pretty insane here not to use IPSEC, but this is just a workaround.
The right thing to do would be to get the value of length from recvfrom()
and use that.
dmesg:
see earlier posts last month.
