Bug #13842
openRADIUS user accounting limit inputs for bandwidth and total usage are not validated to prevent exceeding a 32 bit unsigned value
0%
Description
In the FreeRadius package, user upload/download limits can be set to any positive integer, including any values that could overflow a 32 bit unsigned integer. This causes no problems for the generation of the user entry or for FreeRADIUS parsing it. However, when these values are packed into attributes that are sent back as integers in RADIUS packets, the high word is truncated and only the bottom word is transferred. This yields situations where a user's traffic quota is specified in Megabytes as '10000', recorded in the user record's pfSense-Max-Total-Octets as:
pfSense-Max-Total-Octets := 10485760000
This value is a 64-bit integer
00 00 00 02 71 00 00 00
, which is truncated to 71 00 00 00
when packed into the pfSense-Max-Total-Octets attribute of type integer, giving the client the erroneous unsigned int value 1895825408 (about 1808MB), far lower than the administrator's intended 10000MB value.
This lack of input validation may lead to overflows in other user attributes that are packed into RADIUS attributes, such as the max bandwidth values, login time constraints, number of simultaneous connections, and others. This issue will only address the values that are multiplied - the max bandwidth and max upload/download usage.
Updated by Reid Linnemann over 1 year ago
- Related to Regression #13823: RADIUS attribute pfSense-Max-Total-Octets is not parsed correctly added
Updated by Reid Linnemann over 1 year ago
- Priority changed from Normal to High
- Target version changed from 23.01 to 2.7.0
- Plus Target Version set to 23.01
Updated by Jim Pingle over 1 year ago
- Project changed from pfSense to pfSense Packages
- Category changed from Authentication to FreeRADIUS
- Target version deleted (
2.7.0) - Plus Target Version deleted (
23.01) - Release Notes deleted (
Default)
From the description this is about adding input validation to limit what the FreeRADIUS package will allow, so moving this so it's targeted at the package. And since it's a package, there is no need for a target version constraint.
Updated by Reid Linnemann over 1 year ago
- Subject changed from RADIUS user accounting limit inputs are not validated to prevent exceeding a 32 bit unsigned value to RADIUS user accounting limit inputs for bandwidth and total usage are not validated to prevent exceeding a 32 bit unsigned value
- Description updated (diff)