standards/154842: invalid request authenticator in the second and
subsequent acct-packets, generated by libradius
Yaroslav Verbin
yv at lifelink.ru
Thu Feb 17 10:30:11 UTC 2011
>Number: 154842
>Category: standards
>Synopsis: invalid request authenticator in the second and subsequent acct-packets, generated by libradius
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-standards
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 17 10:30:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Yaroslav Verbin
>Release: 7.3,8.1
>Organization:
lifelink
>Environment:
FreeBSD nas 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
This problem occurs when the software (i used mpd5 from ports), that uses libradius, re-sends the acct-packet. Due to a bug in the library the second and subsequent acct-packets are have corrupted request authenticator and can not be accepted radius server with an error:
Received Accounting-Request packet from client x.x.x.x with invalid signature! (Shared secret is incorrect.) Dropping packet without response.
>How-To-Repeat:
drop first acct-packet.
>Fix:
--- radlib.c 2010-06-14 02:09:06.000000000 +0000
+++ radlib.c.new 2011-02-16 10:28:11.000000000 +0000
@@ -641,10 +641,6 @@
insert_scrambled_password(h, h->srv);
}
insert_message_authenticator(h, 0);
- if (h->out[POS_CODE] != RAD_ACCESS_REQUEST) {
- /* Insert the request authenticator into the request */
- insert_request_authenticator(h, h->srv);
- }
/* Send the request */
n = sendto(h->fd, h->out, h->out_len, 0,
@@ -910,6 +906,10 @@
}
h->try = h->srv = 0;
+ if (h->out[POS_CODE] != RAD_ACCESS_REQUEST) {
+ /* Insert the request authenticator into the request */
+ insert_request_authenticator(h, h->srv);
+ }
return rad_continue_send_request(h, 0, fd, tv);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-standards
mailing list