From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 18 Jan 2023 20:36:31 +0000 (-0500)
Subject: check that the sequence numbers match
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f6dc6edbf956cbc78267a07dc64b917af557b0f;p=thirdparty%2Ffreeradius-server.git

check that the sequence numbers match

as a "duct tape" kind of security.
---

diff --git a/src/modules/rlm_tacacs/rlm_tacacs_tcp.c b/src/modules/rlm_tacacs/rlm_tacacs_tcp.c
index 34beac53849..1ea16050956 100644
--- a/src/modules/rlm_tacacs/rlm_tacacs_tcp.c
+++ b/src/modules/rlm_tacacs/rlm_tacacs_tcp.c
@@ -552,6 +552,14 @@ static ssize_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *response_
 
 	*response_code = 0;	/* Initialise to keep the rest of the code happy */
 
+	/*
+	 *	Check the session ID here, because we've lost the original packet.
+	 */
+	if (h->session_id != fr_nbo_to_uint32(data + 4)) {
+		REDEBUG("Session ID %08x does not match expected number %08x",
+			fr_nbo_to_uint32(data + 4), h->session_id);
+	}
+
 	/*
 	 *	Decode the attributes, in the context of the reply.
 	 *	This only fails if the packet is strangely malformed,
diff --git a/src/protocols/tacacs/decode.c b/src/protocols/tacacs/decode.c
index 7ad536a3f34..f05145418e0 100644
--- a/src/protocols/tacacs/decode.c
+++ b/src/protocols/tacacs/decode.c
@@ -247,7 +247,7 @@ static int tacacs_decode_field(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_att
  *	Decode a TACACS+ packet
  */
 ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *buffer, size_t buffer_len,
-			 UNUSED const uint8_t *original, char const * const secret, size_t secret_len)
+			 const uint8_t *original, char const * const secret, size_t secret_len)
 {
 	fr_tacacs_packet_t const *pkt;
 	fr_pair_t		*vp;
@@ -320,6 +320,15 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *bu
 		return -1;
 	}
 
+	/*
+	 *	Check that the session IDs are correct.
+	 */
+	if (original && (memcmp(original + 4, buffer + 4, 4) != 0)) {
+		fr_strerror_printf("Session ID %08x does not match expected number %08x",
+				   fr_nbo_to_uint32(buffer + 4), fr_nbo_to_uint32(original + 4));
+		return -1;
+	}
+
 	/*
 	 *	Call the struct encoder to do the actual work.
 	 */