From ae6e27a9843df975c9716ac963504c312a3ee4fd Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 29 Mar 2023 16:53:11 +0900
Subject: [PATCH] add pre_proxy method which catches invalid EAP packets.

Because "._udp.local" is not a valid EAP message
---
 src/modules/rlm_eap/rlm_eap.c | 23 +++++++++++++++++++++++
 src/modules/rlm_eap/rlm_eap.h |  1 +
 2 files changed, 24 insertions(+)

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index 24b8c5ee2d..03a3f7d641 100644
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -35,6 +35,7 @@ RCSID("$Id$")
 static const CONF_PARSER module_config[] = {
 	{ "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_t, default_method_name), "md5" },
 	{ "timer_expire", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, timer_limit), "60" },
+	{ "max_eap_type", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, max_eap_type), "52" },
 	{ "ignore_unknown_eap_types", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_t, ignore_unknown_types), "no" },
 	{ "cisco_accounting_username_bug", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_t, mod_accounting_username_bug), "no" },
 	{ "max_sessions", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, max_sessions), "2048" },
@@ -559,6 +560,27 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *reque
 
 
 #ifdef WITH_PROXY
+static rlm_rcode_t CC_HINT(nonnull) mod_pre_proxy(void *instance, REQUEST *request)
+{
+	VALUE_PAIR	*vp;
+	size_t		length;
+	rlm_eap_t	*inst = instance;
+
+	vp = fr_pair_find_by_num(request->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
+	if (!vp) return RLM_MODULE_NOOP;
+
+	if (vp->vp_length < 4) return RLM_MODULE_NOOP;
+
+	length = (vp->vp_octets[2] << 8) | vp->vp_octets[3];
+	if (length != vp->vp_length) return RLM_MODULE_REJECT;
+
+	if (!inst->max_eap_type) return RLM_MODULE_NOOP;
+
+	if (vp->vp_octets[4] > inst->max_eap_type) return RLM_MODULE_REJECT;
+
+	return RLM_MODULE_NOOP;
+}
+
 /*
  *	If we're proxying EAP, then there may be magic we need
  *	to do.
@@ -807,6 +829,7 @@ module_t rlm_eap = {
 		[MOD_AUTHENTICATE]	= mod_authenticate,
 		[MOD_AUTHORIZE]		= mod_authorize,
 #ifdef WITH_PROXY
+		[MOD_PRE_PROXY]		= mod_pre_proxy,
 		[MOD_POST_PROXY]	= mod_post_proxy,
 #endif
 		[MOD_POST_AUTH]		= mod_post_auth
diff --git a/src/modules/rlm_eap/rlm_eap.h b/src/modules/rlm_eap/rlm_eap.h
index 384f7f78d7..0b9311cd83 100644
--- a/src/modules/rlm_eap/rlm_eap.h
+++ b/src/modules/rlm_eap/rlm_eap.h
@@ -56,6 +56,7 @@ typedef struct rlm_eap {
 	 *	Configuration items.
 	 */
 	uint32_t	timer_limit;
+	uint32_t	max_eap_type;
 
 	char const	*default_method_name;
 	eap_type_t	default_method;
-- 
2.47.2