Re: BUG #5687: RADIUS Authentication issues

On Tue, Oct 5, 2010 at 19:11, Alan T DeKok <aland(at)freeradius(dot)org> wrote:
> Magnus Hagander wrote:
>> Actually, nevermind that one. Here's a patch I worked up from your
>> description, and that turns out to be fairly similar to yours in what
>> it does I think - except I'm not rearranging the code into a separate
>> function. We already have a while-loop.
>
>  Thanks.  The only comment I have is that the hard-code 100000 could be
> USECS_PER_SEC.

That's hardcoded elsewhere in the backend though, and we've not used
USECS_PER_SEC anywhere else. So for consistency..

>> See attached context diff, and I've also included a diff without
>> whitespace changes since the majority of the diff is otherwise coming
>> from indenting the code one tab...
>>
>> (so far untested, I seem to have deleted my test-instance of the
>> radius server, but I figured I should post my attempt anyway)
>
>  I can set up a test server if you want.

Nah, I should get mine back up.

If you can test the complete patch in your environment (particularly
if you already have a "bad packet injector" that you know creates the
issue on 9.0), that would be great though.

>> Also, my patch does not change from log to warning - note that warning
>> is actually *below* log when it comes to the logfile (see
>> log_min_messages comments in postgresql.conf). I keep making that
>> mistake myself...
>
>  OK.  My only interest there was to ensure that a DoS attack wouldn't
> result in the log being flooded with "invalid packet" messages.

Uh, how exactly does your patch prevent that?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/