[tac_plus] Re: Cisco VPN 3000

[john heasley]

Fri, May 30, 2008 at 12:06:12PM -0400, John Payne:
> I'm getting the feeling I'm the only one using the NAC_address  
> (connect_origin) field regularly, as neither Juniper nor Force10  
> populate it :(
> 
> Anyhoo.  With the VPN 3000, I'm noticing that identity->NAC_address  
> is getting 3 extra characters appended.  I suspect it's because  
> rem_addr_len is off-by-3, but as it hasn't otherwise affected  
> operation, I'm not sure if this is a potential crash waiting to happen.
> 
> As I know that all my device that do send connect_origin are going to  
> be IP addresses, I think I can work around this.... but it does draw  
> my attention to the lack of data validation in do_start(), for example:
> 
>      identity.NAC_address = tac_make_string(p, (int)start- 
>  >rem_addr_len);
>      p += start->rem_addr_len;
> ...
>      bcopy(p, authen_data.client_data, start->data_len);
> 
> If rem_addr_len is wrong, isn't it possible for client_data to now  
> contain data from uninitialized memory (past the "end" of pak)?

Yes, you are correct; but if look at callers of these functions (those
with this idiom), you'll see that the length is checked prior to the
call to them (except for one that is self-contained).