Ignore home server ping packets

Resolves: RHEL-54312
Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres 2024-10-01 11:37:03 +02:00
parent 1dd179f336
commit 0dae9ec437
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
2 changed files with 27 additions and 14 deletions

View File

@ -15,6 +15,7 @@ to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this ma
[antorres@redhat.com]: mods-available/eap has been modified to comment out 'disable_tlsv1' and 'dh_file' options. [antorres@redhat.com]: mods-available/eap has been modified to comment out 'disable_tlsv1' and 'dh_file' options.
[antorres@redhat.com]: add fix for BlastRADIUS CVE, commit range backported: 3a00a6ecc188629b0441fd45ad61ca8986de156e^..da643f1edc267ce95260dc36069e6f1a7a4d66f8, [antorres@redhat.com]: add fix for BlastRADIUS CVE, commit range backported: 3a00a6ecc188629b0441fd45ad61ca8986de156e^..da643f1edc267ce95260dc36069e6f1a7a4d66f8,
this backport includes changes from other files not included in the commit range, to ensure correct compilation. this backport includes changes from other files not included in the commit range, to ensure correct compilation.
[antorres@redhat.com]: add backport from https://github.com/FreeRADIUS/freeradius-server/commit/3a9449539e4c5a74c85685cad6abe6edf412f701.
--- ---
man/man1/radclient.1 | 10 +- man/man1/radclient.1 | 10 +-
man/man1/radtest.1 | 13 +- man/man1/radtest.1 | 13 +-
@ -65,7 +66,7 @@ this backport includes changes from other files not included in the commit range
src/main/radtest.in | 8 +- src/main/radtest.in | 8 +-
src/main/realms.c | 354 +++- src/main/realms.c | 354 +++-
src/main/session.c | 33 +- src/main/session.c | 33 +-
src/main/stats.c | 177 +- src/main/stats.c | 185 +-
src/main/tls.c | 2012 ++++++++++++++++---- src/main/tls.c | 2012 ++++++++++++++++----
src/main/tls_listen.c | 509 ++++- src/main/tls_listen.c | 509 ++++-
src/modules/proto_dhcp/rlm_dhcp.c | 2 +- src/modules/proto_dhcp/rlm_dhcp.c | 2 +-
@ -100,7 +101,7 @@ this backport includes changes from other files not included in the commit range
src/modules/rlm_wimax/milenage.h | 128 ++ src/modules/rlm_wimax/milenage.h | 128 ++
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++- src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
src/tests/keywords/md4 | 58 + src/tests/keywords/md4 | 58 +
84 files changed, 9222 insertions(+), 1902 deletions(-) 84 files changed, 9230 insertions(+), 1902 deletions(-)
diff --git a/man/man1/radclient.1 b/man/man1/radclient.1 diff --git a/man/man1/radclient.1 b/man/man1/radclient.1
index 229dcae0c7..b83bee931a 100644 index 229dcae0c7..b83bee931a 100644
@ -8816,10 +8817,10 @@ index e359010a1b..8dbf5a6f14 100644
{ {
ERROR("Simultaneous-Use is not supported"); ERROR("Simultaneous-Use is not supported");
diff --git a/src/main/stats.c b/src/main/stats.c diff --git a/src/main/stats.c b/src/main/stats.c
index 33b5fd238a..6aa908bfea 100644 index 33b5fd238a..2c5df06d8e 100644
--- a/src/main/stats.c --- a/src/main/stats.c
+++ b/src/main/stats.c +++ b/src/main/stats.c
@@ -90,44 +90,58 @@ static void stats_time(fr_stats_t *stats, struct timeval *start, @@ -90,44 +90,66 @@ static void stats_time(fr_stats_t *stats, struct timeval *start,
void request_stats_final(REQUEST *request) void request_stats_final(REQUEST *request)
{ {
@ -8832,6 +8833,14 @@ index 33b5fd238a..6aa908bfea 100644
+ if ((request->options & RAD_REQUEST_OPTION_STATS) != 0) return; + if ((request->options & RAD_REQUEST_OPTION_STATS) != 0) return;
- if ((request->listener->type != RAD_LISTEN_NONE) && - if ((request->listener->type != RAD_LISTEN_NONE) &&
+ /*
+ * This packet was originated by the server, and not
+ * received from a client. It's a status-server or home
+ * server "ping" packet. So we ignore it for statistics
+ * purposes.
+ */
+ if (!request->packet) return;
+
+ /* don't count statistic requests */ + /* don't count statistic requests */
+ if (request->packet->code == PW_CODE_STATUS_SERVER) { + if (request->packet->code == PW_CODE_STATUS_SERVER) {
+ return; + return;
@ -8892,7 +8901,7 @@ index 33b5fd238a..6aa908bfea 100644
#else #else
#define INC_DSC(_x) #define INC_DSC(_x)
#endif #endif
@@ -140,7 +154,7 @@ void request_stats_final(REQUEST *request) @@ -140,7 +162,7 @@ void request_stats_final(REQUEST *request)
* deleted, because only the main server thread calls * deleted, because only the main server thread calls
* this function, which makes it thread-safe. * this function, which makes it thread-safe.
*/ */
@ -8901,7 +8910,7 @@ index 33b5fd238a..6aa908bfea 100644
case PW_CODE_ACCESS_ACCEPT: case PW_CODE_ACCESS_ACCEPT:
INC_AUTH(total_access_accepts); INC_AUTH(total_access_accepts);
@@ -268,7 +282,7 @@ void request_stats_final(REQUEST *request) @@ -268,7 +290,7 @@ void request_stats_final(REQUEST *request)
if (!request->proxy_reply) goto done; /* simplifies formatting */ if (!request->proxy_reply) goto done; /* simplifies formatting */
#undef INC #undef INC
@ -8910,7 +8919,7 @@ index 33b5fd238a..6aa908bfea 100644
switch (request->proxy_reply->code) { switch (request->proxy_reply->code) {
case PW_CODE_ACCESS_ACCEPT: case PW_CODE_ACCESS_ACCEPT:
@@ -339,7 +353,7 @@ void request_stats_final(REQUEST *request) @@ -339,7 +361,7 @@ void request_stats_final(REQUEST *request)
done: done:
#endif /* WITH_PROXY */ #endif /* WITH_PROXY */
@ -8919,7 +8928,7 @@ index 33b5fd238a..6aa908bfea 100644
} }
typedef struct fr_stats2vp { typedef struct fr_stats2vp {
@@ -582,6 +596,23 @@ void request_stats_reply(REQUEST *request) @@ -582,6 +604,23 @@ void request_stats_reply(REQUEST *request)
*/ */
if (!cl) return; if (!cl) return;
} }
@ -8943,7 +8952,7 @@ index 33b5fd238a..6aa908bfea 100644
} }
@@ -597,6 +628,19 @@ void request_stats_reply(REQUEST *request) @@ -597,6 +636,19 @@ void request_stats_reply(REQUEST *request)
} }
#endif #endif
@ -8963,7 +8972,7 @@ index 33b5fd238a..6aa908bfea 100644
/* /*
* Else look it up by number. * Else look it up by number.
*/ */
@@ -615,23 +659,44 @@ void request_stats_reply(REQUEST *request) @@ -615,23 +667,44 @@ void request_stats_reply(REQUEST *request)
* When retrieving client by number, also * When retrieving client by number, also
* echo back it's IP address. * echo back it's IP address.
*/ */
@ -9019,7 +9028,7 @@ index 33b5fd238a..6aa908bfea 100644
} }
if (server_ip) { if (server_ip) {
@@ -674,21 +739,26 @@ void request_stats_reply(REQUEST *request) @@ -674,21 +747,26 @@ void request_stats_reply(REQUEST *request)
* See if we need to look up the server by socket * See if we need to look up the server by socket
* socket. * socket.
*/ */
@ -9054,7 +9063,7 @@ index 33b5fd238a..6aa908bfea 100644
if (!this) { if (!this) {
stats_error(request, "No such listener"); stats_error(request, "No such listener");
return; return;
@@ -730,16 +800,6 @@ void request_stats_reply(REQUEST *request) @@ -730,16 +808,6 @@ void request_stats_reply(REQUEST *request)
VALUE_PAIR *server_ip, *server_port; VALUE_PAIR *server_ip, *server_port;
fr_ipaddr_t ipaddr; fr_ipaddr_t ipaddr;
@ -9071,7 +9080,7 @@ index 33b5fd238a..6aa908bfea 100644
server_port = fr_pair_find_by_num(request->packet->vps, PW_FREERADIUS_STATS_SERVER_PORT, VENDORPEC_FREERADIUS, TAG_ANY); server_port = fr_pair_find_by_num(request->packet->vps, PW_FREERADIUS_STATS_SERVER_PORT, VENDORPEC_FREERADIUS, TAG_ANY);
if (!server_port) { if (!server_port) {
stats_error(request, "No home server port supplied"); stats_error(request, "No home server port supplied");
@@ -749,15 +809,30 @@ void request_stats_reply(REQUEST *request) @@ -749,15 +817,30 @@ void request_stats_reply(REQUEST *request)
#ifndef NDEBUG #ifndef NDEBUG
memset(&ipaddr, 0, sizeof(ipaddr)); memset(&ipaddr, 0, sizeof(ipaddr));
#endif #endif

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.21 Version: 3.0.21
Release: 42%{?dist} Release: 43%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -864,6 +864,10 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Tue Oct 01 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-43
- Ignore home server ping packets
Resolves: RHEL-54312
* Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-42 * Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-42
- Backport fixes for BlastRADIUS CVE - Backport fixes for BlastRADIUS CVE
Resolves: RHEL-46567 Resolves: RHEL-46567