Fix low-risk potential denial of service against RADIUS login.

Corrupt RADIUS responses were treated as errors and not ignored (which the RFC2865 states they should be). This meant that a user with unfiltered access to the network of the PostgreSQL or RADIUS server could send a spoofed RADIUS response to the PostgreSQL server causing it to reject a valid login, provided the attacker could also guess (or brute-force) the correct port number. Fix is to simply retry the receive in a loop until the timeout has expired or a valid (signed by the correct RADIUS server) packet arrives. Reported by Alan DeKok in bug #5687.

Fix low-risk potential denial of service against RADIUS login.
Corrupt RADIUS responses were treated as errors and not ignored (which the RFC2865 states they should be). This meant that a user with unfiltered access to the network of the PostgreSQL or RADIUS server could send a spoofed RADIUS response to the PostgreSQL server causing it to reject a valid login, provided the attacker could also guess (or brute-force) the correct port number. Fix is to simply retry the receive in a loop until the timeout has expired or a valid (signed by the correct RADIUS server) packet arrives. Reported by Alan DeKok in bug #5687.
0e7f7071 · Magnus Hagander · 915116bc · 0e7f7071
Commit 0e7f7071 authored Oct 15, 2010 by Magnus Hagander
Show whitespace changes
Inline Side-by-side

Showing with 126 additions and 94 deletions

src/backend/libpq/auth.c src/backend/libpq/auth.c +126 -94

No files found.
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2619,7 +2619,7 @@ CheckRADIUSAuth(Port *port)
 	char		portstr[128];
 	ACCEPT_TYPE_ARG3 addrsize;
 	fd_set		fdset;
-	struct timeval timeout;
+	struct timeval endtime;
 	int			i,
 				r;

@@ -2777,14 +2777,36 @@ CheckRADIUSAuth(Port *port)
 	/* Don't need the server address anymore */
 	pg_freeaddrinfo_all(hint.ai_family, serveraddrs);

-	/* Wait for a response */
-	timeout.tv_sec = RADIUS_TIMEOUT;
-	timeout.tv_usec = 0;
-	FD_ZERO(&fdset);
-	FD_SET(sock, &fdset);
+	/*
+	 * Figure out at what time we should time out. We can't just use
+	 * a single call to select() with a timeout, since somebody can
+	 * be sending invalid packets to our port thus causing us to
+	 * retry in a loop and never time out.
+	 */
+	gettimeofday(&endtime, NULL);
+	endtime.tv_sec += RADIUS_TIMEOUT;

 	while (true)
 	{
+		struct timeval timeout;
+		struct timeval now;
+		int64 timeoutval;
+
+		gettimeofday(&now, NULL);
+		timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
+		if (timeoutval <= 0)
+		{
+			ereport(LOG,
+					(errmsg("timeout waiting for RADIUS response")));
+			closesocket(sock);
+			return STATUS_ERROR;
+		}
+		timeout.tv_sec = timeoutval / 1000000;
+		timeout.tv_usec = timeoutval % 1000000;
+
+		FD_ZERO(&fdset);
+		FD_SET(sock, &fdset);
+
 		r = select(sock + 1, &fdset, NULL, NULL, &timeout);
 		if (r < 0)
 		{
@@ -2805,11 +2827,17 @@ CheckRADIUSAuth(Port *port)
 			return STATUS_ERROR;
 		}

-		/* else we actually have a packet ready to read */
-		break;
-	}
+		/*
+		 * Attempt to read the response packet, and verify the contents.
+		 *
+		 * Any packet that's not actually a RADIUS packet, or otherwise
+		 * does not validate as an explicit reject, is just ignored and
+		 * we retry for another packet (until we reach the timeout). This
+		 * is to avoid the possibility to denial-of-service the login by
+		 * flooding the server with invalid packets on the port that
+		 * we're expecting the RADIUS response on.
+		 */

-	/* Read the response packet */
 		addrsize = sizeof(remoteaddr);
 		packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
 								(struct sockaddr *) & remoteaddr, &addrsize);
@@ -2817,12 +2845,9 @@ CheckRADIUSAuth(Port *port)
 		{
 			ereport(LOG,
 					(errmsg("could not read RADIUS response: %m")));
-		closesocket(sock);
 			return STATUS_ERROR;
 		}

-	closesocket(sock);
-
 #ifdef HAVE_IPV6
 		if (remoteaddr.sin6_port != htons(port->hba->radiusport))
 #else
@@ -2838,14 +2863,14 @@ CheckRADIUSAuth(Port *port)
 					(errmsg("RADIUS response was sent from incorrect port: %i",
 							ntohs(remoteaddr.sin_port))));
 #endif
-		return STATUS_ERROR;
+			continue;
 		}

 		if (packetlength < RADIUS_HEADER_LENGTH)
 		{
 			ereport(LOG,
 					(errmsg("RADIUS response too short: %i", packetlength)));
-		return STATUS_ERROR;
+			continue;
 		}

 		if (packetlength != ntohs(receivepacket->length))
@@ -2853,7 +2878,7 @@ CheckRADIUSAuth(Port *port)
 			ereport(LOG,
 					(errmsg("RADIUS response has corrupt length: %i (actual length %i)",
 							ntohs(receivepacket->length), packetlength)));
-		return STATUS_ERROR;
+			continue;
 		}

 		if (packet->id != receivepacket->id)
@@ -2861,7 +2886,7 @@ CheckRADIUSAuth(Port *port)
 			ereport(LOG,
 					(errmsg("RADIUS response is to a different request: %i (should be %i)",
 							receivepacket->id, packet->id)));
-		return STATUS_ERROR;
+			continue;
 		}

 		/*
@@ -2886,7 +2911,7 @@ CheckRADIUSAuth(Port *port)
 			ereport(LOG,
 					(errmsg("could not perform MD5 encryption of received packet")));
 			pfree(cryptvector);
-		return STATUS_ERROR;
+			continue;
 		}
 		pfree(cryptvector);

@@ -2894,18 +2919,25 @@ CheckRADIUSAuth(Port *port)
 		{
 			ereport(LOG,
 					(errmsg("RADIUS response has incorrect MD5 signature")));
-		return STATUS_ERROR;
+			continue;
 		}

 		if (receivepacket->code == RADIUS_ACCESS_ACCEPT)
+		{
+			closesocket(sock);
 			return STATUS_OK;
+		}
 		else if (receivepacket->code == RADIUS_ACCESS_REJECT)
+		{
+			closesocket(sock);
 			return STATUS_ERROR;
+		}
 		else
 		{
 			ereport(LOG,
 					(errmsg("RADIUS response has invalid code (%i) for user \"%s\"",
 							receivepacket->code, port->user_name)));
-		return STATUS_ERROR;
+			continue;
 		}
+	} /* while (true) */
 }