mirror of
https://github.com/postgres/postgres.git
synced 2025-07-12 21:01:52 +03:00
Fix low-risk potential denial of service against RADIUS login.
Corrupt RADIUS responses were treated as errors and not ignored (which the RFC2865 states they should be). This meant that a user with unfiltered access to the network of the PostgreSQL or RADIUS server could send a spoofed RADIUS response to the PostgreSQL server causing it to reject a valid login, provided the attacker could also guess (or brute-force) the correct port number. Fix is to simply retry the receive in a loop until the timeout has expired or a valid (signed by the correct RADIUS server) packet arrives. Reported by Alan DeKok in bug #5687.
This commit is contained in:
Magnus Hagander
@ -2619,7 +2619,7 @@ CheckRADIUSAuth(Port *port)
|
|||||||
char portstr[128];
|
char portstr[128];
|
||||||
ACCEPT_TYPE_ARG3 addrsize;
|
ACCEPT_TYPE_ARG3 addrsize;
|
||||||
fd_set fdset;
|
fd_set fdset;
|
||||||
struct timeval timeout;
|
struct timeval endtime;
|
||||||
int i,
|
int i,
|
||||||
r;
|
r;
|
||||||
|
|
||||||
@ -2777,14 +2777,36 @@ CheckRADIUSAuth(Port *port)
|
|||||||
/* Don't need the server address anymore */
|
/* Don't need the server address anymore */
|
||||||
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
||||||
|
|
||||||
/* Wait for a response */
|
/*
|
||||||
timeout.tv_sec = RADIUS_TIMEOUT;
|
* Figure out at what time we should time out. We can't just use
|
||||||
timeout.tv_usec = 0;
|
* a single call to select() with a timeout, since somebody can
|
||||||
FD_ZERO(&fdset);
|
* be sending invalid packets to our port thus causing us to
|
||||||
FD_SET(sock, &fdset);
|
* retry in a loop and never time out.
|
||||||
|
*/
|
||||||
|
gettimeofday(&endtime, NULL);
|
||||||
|
endtime.tv_sec += RADIUS_TIMEOUT;
|
||||||
|
|
||||||
while (true)
|
while (true)
|
||||||
{
|
{
|
||||||
|
struct timeval timeout;
|
||||||
|
struct timeval now;
|
||||||
|
int64 timeoutval;
|
||||||
|
|
||||||
|
gettimeofday(&now, NULL);
|
||||||
|
timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
|
||||||
|
if (timeoutval <= 0)
|
||||||
|
{
|
||||||
|
ereport(LOG,
|
||||||
|
(errmsg("timeout waiting for RADIUS response")));
|
||||||
|
closesocket(sock);
|
||||||
|
return STATUS_ERROR;
|
||||||
|
}
|
||||||
|
timeout.tv_sec = timeoutval / 1000000;
|
||||||
|
timeout.tv_usec = timeoutval % 1000000;
|
||||||
|
|
||||||
|
FD_ZERO(&fdset);
|
||||||
|
FD_SET(sock, &fdset);
|
||||||
|
|
||||||
r = select(sock + 1, &fdset, NULL, NULL, &timeout);
|
r = select(sock + 1, &fdset, NULL, NULL, &timeout);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
{
|
{
|
||||||
@ -2805,11 +2827,17 @@ CheckRADIUSAuth(Port *port)
|
|||||||
return STATUS_ERROR;
|
return STATUS_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* else we actually have a packet ready to read */
|
/*
|
||||||
break;
|
* Attempt to read the response packet, and verify the contents.
|
||||||
}
|
*
|
||||||
|
* Any packet that's not actually a RADIUS packet, or otherwise
|
||||||
|
* does not validate as an explicit reject, is just ignored and
|
||||||
|
* we retry for another packet (until we reach the timeout). This
|
||||||
|
* is to avoid the possibility to denial-of-service the login by
|
||||||
|
* flooding the server with invalid packets on the port that
|
||||||
|
* we're expecting the RADIUS response on.
|
||||||
|
*/
|
||||||
|
|
||||||
/* Read the response packet */
|
|
||||||
addrsize = sizeof(remoteaddr);
|
addrsize = sizeof(remoteaddr);
|
||||||
packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
|
packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
|
||||||
(struct sockaddr *) & remoteaddr, &addrsize);
|
(struct sockaddr *) & remoteaddr, &addrsize);
|
||||||
@ -2817,12 +2845,9 @@ CheckRADIUSAuth(Port *port)
|
|||||||
{
|
{
|
||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("could not read RADIUS response: %m")));
|
(errmsg("could not read RADIUS response: %m")));
|
||||||
closesocket(sock);
|
|
||||||
return STATUS_ERROR;
|
return STATUS_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
closesocket(sock);
|
|
||||||
|
|
||||||
#ifdef HAVE_IPV6
|
#ifdef HAVE_IPV6
|
||||||
if (remoteaddr.sin6_port != htons(port->hba->radiusport))
|
if (remoteaddr.sin6_port != htons(port->hba->radiusport))
|
||||||
#else
|
#else
|
||||||
@ -2838,14 +2863,14 @@ CheckRADIUSAuth(Port *port)
|
|||||||
(errmsg("RADIUS response was sent from incorrect port: %i",
|
(errmsg("RADIUS response was sent from incorrect port: %i",
|
||||||
ntohs(remoteaddr.sin_port))));
|
ntohs(remoteaddr.sin_port))));
|
||||||
#endif
|
#endif
|
||||||
return STATUS_ERROR;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (packetlength < RADIUS_HEADER_LENGTH)
|
if (packetlength < RADIUS_HEADER_LENGTH)
|
||||||
{
|
{
|
||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("RADIUS response too short: %i", packetlength)));
|
(errmsg("RADIUS response too short: %i", packetlength)));
|
||||||
return STATUS_ERROR;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (packetlength != ntohs(receivepacket->length))
|
if (packetlength != ntohs(receivepacket->length))
|
||||||
@ -2853,7 +2878,7 @@ CheckRADIUSAuth(Port *port)
|
|||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("RADIUS response has corrupt length: %i (actual length %i)",
|
(errmsg("RADIUS response has corrupt length: %i (actual length %i)",
|
||||||
ntohs(receivepacket->length), packetlength)));
|
ntohs(receivepacket->length), packetlength)));
|
||||||
return STATUS_ERROR;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (packet->id != receivepacket->id)
|
if (packet->id != receivepacket->id)
|
||||||
@ -2861,7 +2886,7 @@ CheckRADIUSAuth(Port *port)
|
|||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("RADIUS response is to a different request: %i (should be %i)",
|
(errmsg("RADIUS response is to a different request: %i (should be %i)",
|
||||||
receivepacket->id, packet->id)));
|
receivepacket->id, packet->id)));
|
||||||
return STATUS_ERROR;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -2886,7 +2911,7 @@ CheckRADIUSAuth(Port *port)
|
|||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("could not perform MD5 encryption of received packet")));
|
(errmsg("could not perform MD5 encryption of received packet")));
|
||||||
pfree(cryptvector);
|
pfree(cryptvector);
|
||||||
return STATUS_ERROR;
|
continue;
|
||||||
}
|
}
|
||||||
pfree(cryptvector);
|
pfree(cryptvector);
|
||||||
|
|
||||||
@ -2894,18 +2919,25 @@ CheckRADIUSAuth(Port *port)
|
|||||||
{
|
{
|
||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("RADIUS response has incorrect MD5 signature")));
|
(errmsg("RADIUS response has incorrect MD5 signature")));
|
||||||
return STATUS_ERROR;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (receivepacket->code == RADIUS_ACCESS_ACCEPT)
|
if (receivepacket->code == RADIUS_ACCESS_ACCEPT)
|
||||||
|
{
|
||||||
|
closesocket(sock);
|
||||||
return STATUS_OK;
|
return STATUS_OK;
|
||||||
|
}
|
||||||
else if (receivepacket->code == RADIUS_ACCESS_REJECT)
|
else if (receivepacket->code == RADIUS_ACCESS_REJECT)
|
||||||
|
{
|
||||||
|
closesocket(sock);
|
||||||
return STATUS_ERROR;
|
return STATUS_ERROR;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("RADIUS response has invalid code (%i) for user \"%s\"",
|
(errmsg("RADIUS response has invalid code (%i) for user \"%s\"",
|
||||||
receivepacket->code, port->user_name)));
|
receivepacket->code, port->user_name)));
|
||||||
return STATUS_ERROR;
|
continue;
|
||||||
}
|
}
|
||||||
|
} /* while (true) */
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user