From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 22 Feb 2023 21:54:36 +0000 (-0500)
Subject: complain about secret key on bad packets
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4a0870b0837a38daf88d3472a5f6be2d8a5af42;p=thirdparty%2Ffreeradius-server.git

complain about secret key on bad packets

which is almost always going to be the source of bad packets
---

diff --git a/src/protocols/tacacs/decode.c b/src/protocols/tacacs/decode.c
index 6cd5a104d48..983f7f244f5 100644
--- a/src/protocols/tacacs/decode.c
+++ b/src/protocols/tacacs/decode.c
@@ -576,11 +576,19 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t co
 			data_len += p[4] + p[5] + p[6] + p[7];
 			if (data_len > (size_t) (end - p)) {
 			overflow:
+				if ((buffer[3] & FR_TAC_PLUS_UNENCRYPTED_FLAG) == 0) {
+				bad_secret:
+					fr_strerror_const("Invalid packet after decryption - is the secret key incorrect?");
+					goto fail;
+				}
+
 				fr_strerror_const("Data overflows the packet");
 				goto fail;
 			}
 			if (data_len < (size_t) (end - p)) {
 			underflow:
+				if ((buffer[3] & FR_TAC_PLUS_UNENCRYPTED_FLAG) == 0) goto bad_secret;
+
 				fr_strerror_const("Data underflows the packet");
 				goto fail;
 			}