Bug#793200: [libfreeradius-client2] Fails to parse attribute list with unknown vendor as last attribute

Sven Eckelmann sven at open-mesh.com
Wed Jul 22 10:39:06 UTC 2015 

Package: libfreeradius-client2
Version: 1.1.6-7
Severity: normal
Tags: patch
Cc: freeradius-devel at lists.freeradius.org

I have noticed that the attribute list is empty for radius packets like:


Radius Protocol
    Code: Access-Accept (2)
    Packet identifier: 0xe4 (228)
    Length: 137
    Authenticator: c43ca3c2765cfab8545e6e4a7f83ba9a
    [This is a response to a request in frame 142]
    [Time from request: 0.004763000 seconds]
    Attribute Value Pairs
        AVP: l=11 t=Vendor-Specific(26) v=Reserved(0)
            VSA: l=5 t=Unknown-Attribute(27): 363030
                Unknown-Attribute: 363030
        AVP: l=12 t=Vendor-Specific(26) v=Wireless Broadband Alliance Ltd (previous was 'Wi-Fi Alliance')(14122)
            VSA: l=6 t=WISPr-Bandwidth-Max-Down(8): 124008
                WISPr-Bandwidth-Max-Down: 124008
        AVP: l=12 t=Vendor-Specific(26) v=Wireless Broadband Alliance Ltd (previous was 'Wi-Fi Alliance')(14122)
            VSA: l=6 t=WISPr-Bandwidth-Max-Up(7): 124007
                WISPr-Bandwidth-Max-Up: 124007
        AVP: l=6 t=Framed-Protocol(7): PPP(1)
            Framed-Protocol: PPP (1)
        AVP: l=6 t=Service-Type(6): Framed(2)
            Service-Type: Framed (2)
        AVP: l=46 t=Class(25): 8fdc089a00000137000102000a010a2d00000000d5a02756...
            Class: 8fdc089a00000137000102000a010a2d00000000d5a02756...
        AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)
            VSA: l=6 t=MS-Link-Utilization-Threshold(14): 50
                MS-Link-Utilization-Threshold: 50
        AVP: l=12 t=Vendor-Specific(26) v=Microsoft(311)
            VSA: l=6 t=MS-Link-Drop-Time-Limit(15): 120
                MS-Link-Drop-Time-Limit: 120


The problem is that the vendor microsoft in my version was unknown.
The recursive attribute parser uses NULL as information for the caller that
its part of the parsing failed. But NULL is also returned when the last
attribute was from an unknown vendor. Instead it should only be skipped as
it is documented inside the function.

A proof of concept patch is attached which uses a special parameter which
is used to inform the caller about an error. The returned value is only
used as handler for the list.

--- System information. ---
Architecture: amd64
Kernel:       Linux 4.0.0-2-amd64

Debian Release: stretch/sid
  500 unstable        httpredir.debian.org 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-radiusclient-ng-Don-t-drop-attribute-list-when-last-.patch
Type: text/x-patch
Size: 5291 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20150722/b9ab0869/attachment-0001.bin>

More information about the Pkg-voip-maintainers mailing list