[3/3] Check for message truncation in radius client

Message ID	20210217223258.10801-4-anusha@meter.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Anusha Datar <anusha@meter.com> To: hostap@lists.infradead.org Subject: [PATCH 3/3] Check for message truncation in radius client Date: Wed, 17 Feb 2021 17:32:58 -0500 Message-Id: <20210217223258.10801-4-anusha@meter.com> In-Reply-To: <20210217223258.10801-1-anusha@meter.com> References: <20210217223258.10801-1-anusha@meter.com> MIME-Version: 1.0 summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:835 listed in] [list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain Precedence: list Cc: Julian Squires <julian@cipht.net>, Steve deRosier <derosier@cal-sierra.com>, Anusha Datar <anusha@meter.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	Modify RADIUS message length validation \| expand [0/3] Modify RADIUS message length validation [1/3] Create RADIUS_MAX_MSG_LEN param in radius header [2/3] Set RADIUS message length to reflect RFC2865 [3/3] Check for message truncation in radius client

Message ID

20210217223258.10801-4-anusha@meter.com

State

Accepted

Headers

From: Anusha Datar <anusha@meter.com>
To: hostap@lists.infradead.org
Subject: [PATCH 3/3] Check for message truncation in radius client
Date: Wed, 17 Feb 2021 17:32:58 -0500
Message-Id: <20210217223258.10801-4-anusha@meter.com>
In-Reply-To: <20210217223258.10801-1-anusha@meter.com>
References: <20210217223258.10801-1-anusha@meter.com>
MIME-Version: 1.0
Precedence: list
Cc: Julian Squires <julian@cipht.net>,
 Steve deRosier <derosier@cal-sierra.com>,
 Anusha Datar <anusha@meter.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

Modify RADIUS message length validation | expand

Commit Message

Anusha Datar Feb. 17, 2021, 10:32 p.m. UTC

The radius client currently determines if a radius message is longer
than the supported maximum length by checking whether the size of the
received buffer and the length of the buffer (as returned by recv()) is
equal. This method fails to detect if the buffer has actually been
truncated. This change modifies the radius_client to instead use the
recvmsg() call and then check the message header flags to determine
whether or not the received message has been truncated and drop the
message if that is the case.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
---
 src/radius/radius_client.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
index 7484d61b8..ad02a998d 100644
--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
@@ -816,7 +816,9 @@  static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 	struct hostapd_radius_servers *conf = radius->conf;
 	RadiusType msg_type = (RadiusType) sock_ctx;
 	int len, roundtrip;
-	unsigned char buf[RADIUS_MAX_MSG_LEN + 1];
+	unsigned char buf[RADIUS_MAX_MSG_LEN];
+	struct msghdr msghdr = {0};
+	struct iovec iov;
 	struct radius_msg *msg;
 	struct radius_hdr *hdr;
 	struct radius_rx_handler *handlers;
@@ -836,15 +838,22 @@  static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		rconf = conf->auth_server;
 	}
 
-	len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);
+	iov.iov_base = buf;
+	iov.iov_len = RADIUS_MAX_MSG_LEN;
+	msghdr.msg_iov = &iov;
+	msghdr.msg_iovlen = 1;
+	msghdr.msg_flags = 0;
+	len = recvmsg(sock, &msghdr, MSG_DONTWAIT);
 	if (len < 0) {
 		wpa_printf(MSG_INFO, "recv[RADIUS]: %s", strerror(errno));
 		return;
 	}
+
 	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
 		       HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
 		       "server", len);
-	if (len == sizeof(buf)) {
+
+	if (msghdr.msg_flags & MSG_TRUNC) {
 		wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
 		return;
 	}

[3/3] Check for message truncation in radius client

Commit Message

Patch