Message ID | CAGnO3drbURFWJEhm2gyKK90gZq8TogsVpm6RQnkb16vXYDLo+Q@mail.gmail.com |
---|---|
State | Changes Requested |
Headers | show |
Note: This is a largely cosmetic change as the UDP port will differ and the Linux kernel will, these days, randomise the UDP port. It potentially avoids a conceptual race in older versions of the Linux kernel that are still in use: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=32c1da70810017a98aa6c431a5494a302b6b9a30 Nick
On Wed, Jul 27, 2016 at 01:36:31PM +0100, Nick Lowe wrote: > Note: This is a largely cosmetic change as the UDP port will differ > and the Linux kernel will, these days, randomise the UDP port. > > It potentially avoids a conceptual race in older versions of the Linux > kernel that are still in use: > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=32c1da70810017a98aa6c431a5494a302b6b9a30 I'm not sure I really understand the point of this change.. What is the case where this could help in making it less likely for RADIUS messages to look as if being from the same NAS? If there are multiple hostapd instances running, wouldn't each get their own UDP source port? The RADIUS identifier is of importance when there are multiple parallel requests from the same IP address and UDP port, but that shouldn't really be the case for the multiple instances case mentioned in the commit message. This is regardless of whether the kernel selects a random source port for the UDP socket.
On Sep 18, 2016, at 2:29 PM, Jouni Malinen <j@w1.fi> wrote: > I'm not sure I really understand the point of this change.. What is the > case where this could help in making it less likely for RADIUS messages > to look as if being from the same NAS? If there are multiple hostapd > instances running, wouldn't each get their own UDP source port? Yes. > The > RADIUS identifier is of importance when there are multiple parallel > requests from the same IP address and UDP port, but that shouldn't > really be the case for the multiple instances case mentioned in the > commit message. This is regardless of whether the kernel selects a > random source port for the UDP socket. Yes. Alan DeKok.
diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c index a4edd5f..bfe42e1 100644 --- a/src/radius/radius_client.c +++ b/src/radius/radius_client.c @@ -1446,6 +1446,10 @@ radius_client_init(void *ctx, struct hostapd_radius_servers *conf) radius->auth_serv_sock = radius->acct_serv_sock = radius->auth_serv_sock6 = radius->acct_serv_sock6 = radius->auth_sock = radius->acct_sock = -1; + if (os_get_random((u8 *) &radius->next_radius_identifier, sizeof(radius->next_radius_identifier)) < 0) { + radius_client_deinit(radius); + return NULL; + }
[PATCH] Use a random initial value for next_radius_identifier so that the identifier is less likely to be reused when multiple hostapd instances are running that will appear to a RADIUS server as being from the same NAS. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com> --- src/radius/radius_client.c | 4 ++++ 1 file changed, 4 insertions(+) if (conf->auth_server && radius_client_init_auth(radius)) { radius_client_deinit(radius);