Rens Houben <[EMAIL PROTECTED]> wrote: > A closer look at the log files revealed the following repeated error > message: > > Mon Mar 11 20:36:54 2002 : Error: WARNING: Malformed RADIUS packet from > host aaa.bbb.ccc.ddd: Invalid attribute 0
Yup. You've received a bad packet. The RADIUS client hasn't implemented the RADIUS protocol correctly, so it's not a RADIUS client. > Calling the network people at the supplier revealed they had had a > similar problem with other clients; that this was a 'cosmetic flaw only' > and didn't have any real impact. I *really* doubt that. If a RADIUS client is sending you crap, what the heck is wrong with it? It *cannot* be trusted to send real RADIUS requests. The only solution is to drop them on the floor. > But yet, the server remained silent. Some testing from another site > using the freeradius client and hand-hacked parameters had no > problems logging in, unless I added the "bogus" attribute with ID 0 > to the dictionary and sent it along, at which point the same error > occured. Yes... attribute 0 does not exist, is not defined, and is wrong. > Looking into the source, I found that the error lay in src/lib/radius.c > lines 713-721: (With apologies for the long lines) ... > ---- > What I'd like to know is what exactly the reasoning is behind so drastic > a response. Is there some inherent security flaw or overflow > vulnerability when an attribute is zero? Are there serious specification > problems with it? It means that the client is lying to you, and sending you garbage data. > I'd prefer not to have to disable this without knowing the reason behind > the check. If anyone would care to enlighten me? I would like to know why the people writing the client software think it's a good idea to send you crap. Why haven't they fixed their bugs? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
