Ignore home server ping packets
Resolves: RHEL-54312 Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
parent
1dd179f336
commit
0dae9ec437
@ -15,6 +15,7 @@ to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this ma
|
|||||||
[antorres@redhat.com]: mods-available/eap has been modified to comment out 'disable_tlsv1' and 'dh_file' options.
|
[antorres@redhat.com]: mods-available/eap has been modified to comment out 'disable_tlsv1' and 'dh_file' options.
|
||||||
[antorres@redhat.com]: add fix for BlastRADIUS CVE, commit range backported: 3a00a6ecc188629b0441fd45ad61ca8986de156e^..da643f1edc267ce95260dc36069e6f1a7a4d66f8,
|
[antorres@redhat.com]: add fix for BlastRADIUS CVE, commit range backported: 3a00a6ecc188629b0441fd45ad61ca8986de156e^..da643f1edc267ce95260dc36069e6f1a7a4d66f8,
|
||||||
this backport includes changes from other files not included in the commit range, to ensure correct compilation.
|
this backport includes changes from other files not included in the commit range, to ensure correct compilation.
|
||||||
|
[antorres@redhat.com]: add backport from https://github.com/FreeRADIUS/freeradius-server/commit/3a9449539e4c5a74c85685cad6abe6edf412f701.
|
||||||
---
|
---
|
||||||
man/man1/radclient.1 | 10 +-
|
man/man1/radclient.1 | 10 +-
|
||||||
man/man1/radtest.1 | 13 +-
|
man/man1/radtest.1 | 13 +-
|
||||||
@ -65,7 +66,7 @@ this backport includes changes from other files not included in the commit range
|
|||||||
src/main/radtest.in | 8 +-
|
src/main/radtest.in | 8 +-
|
||||||
src/main/realms.c | 354 +++-
|
src/main/realms.c | 354 +++-
|
||||||
src/main/session.c | 33 +-
|
src/main/session.c | 33 +-
|
||||||
src/main/stats.c | 177 +-
|
src/main/stats.c | 185 +-
|
||||||
src/main/tls.c | 2012 ++++++++++++++++----
|
src/main/tls.c | 2012 ++++++++++++++++----
|
||||||
src/main/tls_listen.c | 509 ++++-
|
src/main/tls_listen.c | 509 ++++-
|
||||||
src/modules/proto_dhcp/rlm_dhcp.c | 2 +-
|
src/modules/proto_dhcp/rlm_dhcp.c | 2 +-
|
||||||
@ -100,7 +101,7 @@ this backport includes changes from other files not included in the commit range
|
|||||||
src/modules/rlm_wimax/milenage.h | 128 ++
|
src/modules/rlm_wimax/milenage.h | 128 ++
|
||||||
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
|
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
|
||||||
src/tests/keywords/md4 | 58 +
|
src/tests/keywords/md4 | 58 +
|
||||||
84 files changed, 9222 insertions(+), 1902 deletions(-)
|
84 files changed, 9230 insertions(+), 1902 deletions(-)
|
||||||
|
|
||||||
diff --git a/man/man1/radclient.1 b/man/man1/radclient.1
|
diff --git a/man/man1/radclient.1 b/man/man1/radclient.1
|
||||||
index 229dcae0c7..b83bee931a 100644
|
index 229dcae0c7..b83bee931a 100644
|
||||||
@ -8816,10 +8817,10 @@ index e359010a1b..8dbf5a6f14 100644
|
|||||||
{
|
{
|
||||||
ERROR("Simultaneous-Use is not supported");
|
ERROR("Simultaneous-Use is not supported");
|
||||||
diff --git a/src/main/stats.c b/src/main/stats.c
|
diff --git a/src/main/stats.c b/src/main/stats.c
|
||||||
index 33b5fd238a..6aa908bfea 100644
|
index 33b5fd238a..2c5df06d8e 100644
|
||||||
--- a/src/main/stats.c
|
--- a/src/main/stats.c
|
||||||
+++ b/src/main/stats.c
|
+++ b/src/main/stats.c
|
||||||
@@ -90,44 +90,58 @@ static void stats_time(fr_stats_t *stats, struct timeval *start,
|
@@ -90,44 +90,66 @@ static void stats_time(fr_stats_t *stats, struct timeval *start,
|
||||||
|
|
||||||
void request_stats_final(REQUEST *request)
|
void request_stats_final(REQUEST *request)
|
||||||
{
|
{
|
||||||
@ -8832,6 +8833,14 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
+ if ((request->options & RAD_REQUEST_OPTION_STATS) != 0) return;
|
+ if ((request->options & RAD_REQUEST_OPTION_STATS) != 0) return;
|
||||||
|
|
||||||
- if ((request->listener->type != RAD_LISTEN_NONE) &&
|
- if ((request->listener->type != RAD_LISTEN_NONE) &&
|
||||||
|
+ /*
|
||||||
|
+ * This packet was originated by the server, and not
|
||||||
|
+ * received from a client. It's a status-server or home
|
||||||
|
+ * server "ping" packet. So we ignore it for statistics
|
||||||
|
+ * purposes.
|
||||||
|
+ */
|
||||||
|
+ if (!request->packet) return;
|
||||||
|
+
|
||||||
+ /* don't count statistic requests */
|
+ /* don't count statistic requests */
|
||||||
+ if (request->packet->code == PW_CODE_STATUS_SERVER) {
|
+ if (request->packet->code == PW_CODE_STATUS_SERVER) {
|
||||||
+ return;
|
+ return;
|
||||||
@ -8892,7 +8901,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
#else
|
#else
|
||||||
#define INC_DSC(_x)
|
#define INC_DSC(_x)
|
||||||
#endif
|
#endif
|
||||||
@@ -140,7 +154,7 @@ void request_stats_final(REQUEST *request)
|
@@ -140,7 +162,7 @@ void request_stats_final(REQUEST *request)
|
||||||
* deleted, because only the main server thread calls
|
* deleted, because only the main server thread calls
|
||||||
* this function, which makes it thread-safe.
|
* this function, which makes it thread-safe.
|
||||||
*/
|
*/
|
||||||
@ -8901,7 +8910,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
case PW_CODE_ACCESS_ACCEPT:
|
case PW_CODE_ACCESS_ACCEPT:
|
||||||
INC_AUTH(total_access_accepts);
|
INC_AUTH(total_access_accepts);
|
||||||
|
|
||||||
@@ -268,7 +282,7 @@ void request_stats_final(REQUEST *request)
|
@@ -268,7 +290,7 @@ void request_stats_final(REQUEST *request)
|
||||||
if (!request->proxy_reply) goto done; /* simplifies formatting */
|
if (!request->proxy_reply) goto done; /* simplifies formatting */
|
||||||
|
|
||||||
#undef INC
|
#undef INC
|
||||||
@ -8910,7 +8919,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
|
|
||||||
switch (request->proxy_reply->code) {
|
switch (request->proxy_reply->code) {
|
||||||
case PW_CODE_ACCESS_ACCEPT:
|
case PW_CODE_ACCESS_ACCEPT:
|
||||||
@@ -339,7 +353,7 @@ void request_stats_final(REQUEST *request)
|
@@ -339,7 +361,7 @@ void request_stats_final(REQUEST *request)
|
||||||
done:
|
done:
|
||||||
#endif /* WITH_PROXY */
|
#endif /* WITH_PROXY */
|
||||||
|
|
||||||
@ -8919,7 +8928,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
typedef struct fr_stats2vp {
|
typedef struct fr_stats2vp {
|
||||||
@@ -582,6 +596,23 @@ void request_stats_reply(REQUEST *request)
|
@@ -582,6 +604,23 @@ void request_stats_reply(REQUEST *request)
|
||||||
*/
|
*/
|
||||||
if (!cl) return;
|
if (!cl) return;
|
||||||
}
|
}
|
||||||
@ -8943,7 +8952,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -597,6 +628,19 @@ void request_stats_reply(REQUEST *request)
|
@@ -597,6 +636,19 @@ void request_stats_reply(REQUEST *request)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -8963,7 +8972,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
/*
|
/*
|
||||||
* Else look it up by number.
|
* Else look it up by number.
|
||||||
*/
|
*/
|
||||||
@@ -615,23 +659,44 @@ void request_stats_reply(REQUEST *request)
|
@@ -615,23 +667,44 @@ void request_stats_reply(REQUEST *request)
|
||||||
* When retrieving client by number, also
|
* When retrieving client by number, also
|
||||||
* echo back it's IP address.
|
* echo back it's IP address.
|
||||||
*/
|
*/
|
||||||
@ -9019,7 +9028,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (server_ip) {
|
if (server_ip) {
|
||||||
@@ -674,21 +739,26 @@ void request_stats_reply(REQUEST *request)
|
@@ -674,21 +747,26 @@ void request_stats_reply(REQUEST *request)
|
||||||
* See if we need to look up the server by socket
|
* See if we need to look up the server by socket
|
||||||
* socket.
|
* socket.
|
||||||
*/
|
*/
|
||||||
@ -9054,7 +9063,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
if (!this) {
|
if (!this) {
|
||||||
stats_error(request, "No such listener");
|
stats_error(request, "No such listener");
|
||||||
return;
|
return;
|
||||||
@@ -730,16 +800,6 @@ void request_stats_reply(REQUEST *request)
|
@@ -730,16 +808,6 @@ void request_stats_reply(REQUEST *request)
|
||||||
VALUE_PAIR *server_ip, *server_port;
|
VALUE_PAIR *server_ip, *server_port;
|
||||||
fr_ipaddr_t ipaddr;
|
fr_ipaddr_t ipaddr;
|
||||||
|
|
||||||
@ -9071,7 +9080,7 @@ index 33b5fd238a..6aa908bfea 100644
|
|||||||
server_port = fr_pair_find_by_num(request->packet->vps, PW_FREERADIUS_STATS_SERVER_PORT, VENDORPEC_FREERADIUS, TAG_ANY);
|
server_port = fr_pair_find_by_num(request->packet->vps, PW_FREERADIUS_STATS_SERVER_PORT, VENDORPEC_FREERADIUS, TAG_ANY);
|
||||||
if (!server_port) {
|
if (!server_port) {
|
||||||
stats_error(request, "No home server port supplied");
|
stats_error(request, "No home server port supplied");
|
||||||
@@ -749,15 +809,30 @@ void request_stats_reply(REQUEST *request)
|
@@ -749,15 +817,30 @@ void request_stats_reply(REQUEST *request)
|
||||||
#ifndef NDEBUG
|
#ifndef NDEBUG
|
||||||
memset(&ipaddr, 0, sizeof(ipaddr));
|
memset(&ipaddr, 0, sizeof(ipaddr));
|
||||||
#endif
|
#endif
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Summary: High-performance and highly configurable free RADIUS server
|
Summary: High-performance and highly configurable free RADIUS server
|
||||||
Name: freeradius
|
Name: freeradius
|
||||||
Version: 3.0.21
|
Version: 3.0.21
|
||||||
Release: 42%{?dist}
|
Release: 43%{?dist}
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
URL: http://www.freeradius.org/
|
URL: http://www.freeradius.org/
|
||||||
|
|
||||||
@ -864,6 +864,10 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 01 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-43
|
||||||
|
- Ignore home server ping packets
|
||||||
|
Resolves: RHEL-54312
|
||||||
|
|
||||||
* Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-42
|
* Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-42
|
||||||
- Backport fixes for BlastRADIUS CVE
|
- Backport fixes for BlastRADIUS CVE
|
||||||
Resolves: RHEL-46567
|
Resolves: RHEL-46567
|
||||||
|
Loading…
Reference in New Issue
Block a user