.verify = {
.require_message_authenticator = false,
.max_attributes = RADIUS_MAX_ATTRIBUTES,
+ .max_packet_size = 4096,
},
};
uint8_t version; /* IP header version */
bool response; /* Was it a response code */
- decode_fail_t reason; /* Why we failed decoding the packet */
+ fr_radius_decode_fail_t reason; /* Why we failed decoding the packet */
static uint64_t captured = 0;
rs_status_t status = RS_NORMAL; /* Any special conditions (RTX, Unlinked, ID-Reused) */
#include "proto.h"
#include "pair.h"
-/** Failure reasons */
-typedef enum {
- DECODE_FAIL_NONE = 0,
- DECODE_FAIL_MIN_LENGTH_PACKET,
- DECODE_FAIL_MIN_LENGTH_FIELD,
- DECODE_FAIL_MIN_LENGTH_MISMATCH,
- DECODE_FAIL_HEADER_OVERFLOW,
- DECODE_FAIL_UNKNOWN_PACKET_CODE,
- DECODE_FAIL_INVALID_ATTRIBUTE,
- DECODE_FAIL_ATTRIBUTE_TOO_SHORT,
- DECODE_FAIL_ATTRIBUTE_OVERFLOW,
- DECODE_FAIL_MA_INVALID_LENGTH,
- DECODE_FAIL_ATTRIBUTE_UNDERFLOW,
- DECODE_FAIL_TOO_MANY_ATTRIBUTES,
- DECODE_FAIL_MA_MISSING,
- DECODE_FAIL_MA_INVALID,
- DECODE_FAIL_UNKNOWN,
- DECODE_FAIL_MAX
-} decode_fail_t;
-
/** Allocate an encoder/decoder ctx
*
* @param[out] out Where the decoder context should be written.
proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
ssize_t data_size;
size_t packet_len, in_buffer;
- decode_fail_t reason;
+ fr_radius_decode_fail_t reason;
/*
* We may have read multiple packets in the previous read. In which case the buffer may already
int flags;
ssize_t data_size;
size_t packet_len;
- decode_fail_t reason;
+ fr_radius_decode_fail_t reason;
*leftover = 0; /* always for UDP */
static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_t *u, uint8_t id);
-static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
+static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
udp_handle_t *h, request_t *request, udp_request_t *u,
uint8_t const request_authenticator[static RADIUS_AUTH_VECTOR_LENGTH],
uint8_t *data, size_t data_len);
* - DECODE_FAIL_NONE on success.
* - DECODE_FAIL_* on failure.
*/
-static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
+static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
udp_handle_t *h, request_t *request, udp_request_t *u,
uint8_t const request_authenticator[static RADIUS_AUTH_VECTOR_LENGTH],
uint8_t *data, size_t data_len)
udp_request_t *u;
udp_result_t *r;
radius_track_entry_t *rr;
- decode_fail_t reason;
+ fr_radius_decode_fail_t reason;
uint8_t code = 0;
fr_pair_list_t reply;
static int encode(rlm_radius_t const *inst, request_t *request, bio_request_t *u, uint8_t id);
-static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
+static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
bio_handle_t *h, request_t *request, bio_request_t *u,
uint8_t const request_authenticator[static RADIUS_AUTH_VECTOR_LENGTH],
uint8_t *data, size_t data_len);
static fr_bio_verify_action_t rlm_radius_verify(UNUSED fr_bio_t *bio, void *verify_ctx, UNUSED void *packet_ctx, const void *data, size_t *size)
{
- decode_fail_t failure;
+ fr_radius_decode_fail_t failure;
size_t in_buffer = *size;
bio_handle_t *h = verify_ctx;
uint8_t const *hdr = data;
* - DECODE_FAIL_NONE on success.
* - DECODE_FAIL_* on failure.
*/
-static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
+static fr_radius_decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_code,
bio_handle_t *h, request_t *request, bio_request_t *u,
uint8_t const request_authenticator[static RADIUS_AUTH_VECTOR_LENGTH],
uint8_t *data, size_t data_len)
bio_request_t *u;
bio_result_t *r;
radius_track_entry_t *rr;
- decode_fail_t reason;
+ fr_radius_decode_fail_t reason;
uint8_t code = 0;
fr_pair_list_t reply;
fr_pair_t *vp;
* - False on failure.
*/
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
- uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
+ uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason)
{
uint8_t const *attr, *end;
size_t totallen;
bool seen_ma = false;
uint32_t num_attributes;
- decode_fail_t failure = DECODE_FAIL_NONE;
+ fr_radius_decode_fail_t failure = DECODE_FAIL_NONE;
size_t packet_len = *packet_len_p;
/*
*/
fr_bio_verify_action_t fr_radius_bio_verify(UNUSED fr_bio_t *bio, void *verify_ctx, UNUSED void *packet_ctx, const void *data, size_t *size)
{
- decode_fail_t failure;
+ fr_radius_decode_fail_t failure;
size_t in_buffer = *size;
fr_radius_bio_verify_t *uctx = verify_ctx;
uint8_t const *hdr = data;
+ size_t want;
if (in_buffer < 4) {
*size = RADIUS_HEADER_LENGTH;
return FR_BIO_VERIFY_WANT_MORE;
}
+ want = fr_nbo_to_uint16(hdr + 2);
+ if (uctx->max_packet_size && (want > uctx->max_packet_size)) {
+ return FR_BIO_VERIFY_ERROR_CLOSE;
+ }
+
/*
* See if we need to discard the packet.
*/
*/
fr_bio_verify_action_t fr_radius_bio_verify_datagram(UNUSED fr_bio_t *bio, void *verify_ctx, UNUSED void *packet_ctx, const void *data, size_t *size)
{
- decode_fail_t failure;
+ fr_radius_decode_fail_t failure;
size_t in_buffer = *size;
fr_radius_bio_verify_t *uctx = verify_ctx;
uint8_t const *hdr = data;
+ size_t want;
if (in_buffer < RADIUS_HEADER_LENGTH) return FR_BIO_VERIFY_DISCARD;
+ want = fr_nbo_to_uint16(hdr + 2);
+ if (uctx->max_packet_size && (want > uctx->max_packet_size)) {
+ return FR_BIO_VERIFY_ERROR_DISCARD;
+ }
+
/*
* See if we need to discard the packet.
*
size_t secret_len;
uint32_t max_attributes;
+ uint32_t max_packet_size;
bool allowed[FR_RADIUS_CODE_MAX]; //!< allowed outgoing packet types
static const char *reason_name[DECODE_FAIL_MAX] = {
[ DECODE_FAIL_NONE ] = "all OK",
[ DECODE_FAIL_MIN_LENGTH_PACKET ] = "packet is too small",
+ [ DECODE_FAIL_MAX_LENGTH_PACKET ] = "packet is too large",
[ DECODE_FAIL_MIN_LENGTH_FIELD ] = "length field is too small",
[ DECODE_FAIL_MIN_LENGTH_MISMATCH ] = "length mismatch",
[ DECODE_FAIL_HEADER_OVERFLOW ] = "header overflow",
uint8_t const *data, size_t data_len, void *proto_ctx)
{
fr_radius_decode_ctx_t *test_ctx = talloc_get_type_abort(proto_ctx, fr_radius_decode_ctx_t);
- decode_fail_t reason;
+ fr_radius_decode_fail_t reason;
fr_pair_t *vp;
size_t packet_len = data_len;
* - True on success.
* - False on failure.
*/
-bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
+bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason)
{
char host_ipaddr[INET6_ADDRSTRLEN];
fr_radius_attr_flags_encrypt_t encrypt; //!< Attribute is encrypted
} fr_radius_attr_flags_t;
+/** Failure reasons */
+typedef enum {
+ DECODE_FAIL_NONE = 0,
+ DECODE_FAIL_MIN_LENGTH_PACKET,
+ DECODE_FAIL_MAX_LENGTH_PACKET,
+ DECODE_FAIL_MIN_LENGTH_FIELD,
+ DECODE_FAIL_MIN_LENGTH_MISMATCH,
+ DECODE_FAIL_HEADER_OVERFLOW,
+ DECODE_FAIL_UNKNOWN_PACKET_CODE,
+ DECODE_FAIL_INVALID_ATTRIBUTE,
+ DECODE_FAIL_ATTRIBUTE_TOO_SHORT,
+ DECODE_FAIL_ATTRIBUTE_OVERFLOW,
+ DECODE_FAIL_MA_INVALID_LENGTH,
+ DECODE_FAIL_ATTRIBUTE_UNDERFLOW,
+ DECODE_FAIL_TOO_MANY_ATTRIBUTES,
+ DECODE_FAIL_MA_MISSING,
+ DECODE_FAIL_MA_INVALID,
+ DECODE_FAIL_UNKNOWN,
+ DECODE_FAIL_MAX
+} fr_radius_decode_fail_t;
+
+
DIAG_OFF(unused-function)
/** Return RADIUS-specific flags for a given attribute
*/
bool require_message_authenticator, bool limit_proxy_state) CC_HINT(nonnull (1,3));
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p,
- uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason) CC_HINT(nonnull (1,2));
+ uint32_t max_attributes, bool require_message_authenticator, fr_radius_decode_fail_t *reason) CC_HINT(nonnull (1,2));
ssize_t fr_radius_ascend_secret(fr_dbuff_t *dbuff, uint8_t const *in, size_t inlen,
char const *secret, uint8_t const *vector);
char const *secret) CC_HINT(nonnull (1,2,4));
bool fr_packet_ok(fr_packet_t *packet, uint32_t max_attributes, bool require_message_authenticator,
- decode_fail_t *reason) CC_HINT(nonnull (1));
+ fr_radius_decode_fail_t *reason) CC_HINT(nonnull (1));
int fr_packet_verify(fr_packet_t *packet, fr_packet_t *original,
char const *secret) CC_HINT(nonnull (1,3));
projects / thirdparty / freeradius-server.git / commitdiff
