Versions Affected : All versions prior to TrueNAS 12.0-U5
libradius did not perform sufficient validation of received messages.
rad_get_attr(3) did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZE_T_MAX - 2 for the Value field. When processing attributes to find an optional authenticator, is_valid_response() failed to verify that each attribute length is non-zero and could thus enter an infinite loop. A server may use libradius(3) to process messages from RADIUS clients. In this case, a malicious client could trigger a denial-of-service in the server. A client using libradius(3) to process messages from a server is susceptible to the same problem. The impact of the rad_get_attr(3) bug depends on how the returned length is validated and used by the consumer. It is possible that libradius(3) applications will crash or enter an infinite loop when calling rad_get_attr(3) on untrusted RADIUS messages.
No workaround is available. Systems not making use of libradius(3) are unaffected.
- Upgrade to TrueNAS 12.0-U5 or later.
- FreeBSD Revision : r369864
- TrueNAS Commit : d43cbb4
- TrueNAS Commit : 31b6269
- JIRA Ticket : NAS-111053