Enforce BlastRADIUS checks for TCP sockets, too.

author Alan T. DeKok <aland@freeradius.org>

Sat, 29 Jun 2024 14:27:47 +0000 (10:27 -0400)

committer Matthew Newton <matthew-git@newtoncomputing.co.uk>

Mon, 8 Jul 2024 19:40:57 +0000 (20:40 +0100)
author Alan T. DeKok <aland@freeradius.org>
Sat, 29 Jun 2024 14:27:47 +0000 (10:27 -0400)
committer Matthew Newton <matthew-git@newtoncomputing.co.uk>
Mon, 8 Jul 2024 19:40:57 +0000 (20:40 +0100)
diff --git a/src/main/listen.c b/src/main/listen.c

index 8f74f7d629810aa6c231f05fdcc23ff2ad7257f9..2c0fe31db0b2d446da9b54af196e36a5fd8a2708 100644 (file)
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -578,6 +578,16 @@ static int dual_tcp_recv(rad_listen_t *listener)
         switch (packet->code) {
         case PW_CODE_ACCESS_REQUEST:
                 if (listener->type != RAD_LISTEN_AUTH) goto bad_packet;
+
+               /*
+                *      Enforce BlastRADIUS checks on TCP, too.
+                */
+               if (!rad_packet_ok(packet, client->require_ma | (((int) client->limit_proxy_state) << 2), NULL)) {
+                       FR_STATS_INC(auth, total_malformed_requests);
+                       rad_free(&sock->packet);
+                       return 0;
+               }
+
                 FR_STATS_INC(auth, total_requests);
                 fun = rad_authenticate;
                 break;
author	Alan T. DeKok <aland@freeradius.org>
	Sat, 29 Jun 2024 14:27:47 +0000 (10:27 -0400)
committer	Matthew Newton <matthew-git@newtoncomputing.co.uk>
	Mon, 8 Jul 2024 19:40:57 +0000 (20:40 +0100)