From: Martin Willi <martin@revosec.ch>
Date: Fri, 9 Jul 2010 11:53:43 +0000 (+0200)
Subject: Do not interpret long class attributes (such as from NPS) as group
X-Git-Tag: 4.4.1~94
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=52f97c389300491720980933609d38e46dd46e9d;p=thirdparty%2Fstrongswan.git

Do not interpret long class attributes (such as from NPS) as group
---

diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index dfb97786a5..4b1a879c38 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -195,15 +195,23 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg)
 	{
 		if (type == RAT_CLASS)
 		{
+			identification_t *id;
 			ike_sa_t *ike_sa;
 			auth_cfg_t *auth;
 
+			if (data.len >= 44)
+			{	/* quirk: ignore long class attributes, these are used for
+				 * other purposes by some RADIUS servers (such as NPS). */
+				continue;
+			}
+
 			ike_sa = charon->bus->get_sa(charon->bus);
 			if (ike_sa)
 			{
 				auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
-				auth->add(auth, AUTH_RULE_GROUP,
-						  identification_create_from_data(data));
+				id = identification_create_from_data(data);
+				DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id);
+				auth->add(auth, AUTH_RULE_GROUP, id);
 			}
 		}
 	}