From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 4 Jun 2015 01:28:30 +0000 (-0600)
Subject: Log the reason *WHY* we're rejecting malformed packets, instead of doing it silently
X-Git-Tag: release_3_0_9~280
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e60dfcfb68e7dd1223e25038434e111f5ee33533;p=thirdparty%2Ffreeradius-server.git

Log the reason *WHY* we're rejecting malformed packets, instead of doing it silently

This probably wasn't done before for security reasons, but now we have the RATE_LIMIT macro, there's really no reason not to.

This was discovered by a poorly configured F5 probe.
---

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 2abd7689e4a..4160da76500 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -332,6 +332,7 @@ ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port,
 	 *	Too little data is available, discard the packet.
 	 */
 	if (data_len < 4) {
+		fr_strerror_printf("Expected at least 4 bytes of header data, got %zu bytes", data_len);
 		rad_recv_discard(sockfd);
 
 		return 1;
@@ -347,6 +348,8 @@ ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port,
 		 *	a RADIUS header length: discard it.
 		 */
 		if (packet_len < RADIUS_HDR_LEN) {
+			fr_strerror_printf("Expected at least " STRINGIFY(RADIUS_HDR_LEN)  " bytes of packet "
+					   "data, got %zu bytes", packet_len);
 			rad_recv_discard(sockfd);
 
 			return 1;
@@ -356,6 +359,8 @@ ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port,
 			 *	Anything after 4k will be discarded.
 			 */
 		} else if (packet_len > MAX_PACKET_LEN) {
+			fr_strerror_printf("Length field value too large, expected maximum of "
+					   STRINGIFY(MAX_PACKET_LEN) " bytes, got %zu bytes", packet_len);
 			rad_recv_discard(sockfd);
 
 			return 1;
@@ -366,6 +371,7 @@ ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port,
 	 *	Convert AF.  If unknown, discard packet.
 	 */
 	if (!fr_sockaddr2ipaddr(&src, sizeof_src, src_ipaddr, src_port)) {
+		fr_strerror_printf("Unkown address family");
 		rad_recv_discard(sockfd);
 
 		return 1;
diff --git a/src/main/listen.c b/src/main/listen.c
index 31afbe7ab78..c12bde28f4d 100644
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -1510,6 +1510,7 @@ static int auth_socket_recv(rad_listen_t *listener)
 	FR_STATS_INC(auth, total_requests);
 
 	if (rcode < 20) {	/* RADIUS_HDR_LEN */
+		RATE_LIMIT(ERROR("Received malformed packet: %s", fr_strerror()));
 		FR_STATS_INC(auth, total_malformed_requests);
 		return 0;
 	}