From f54157077f799d84ce26bed6ad6b01c4a16e31cf Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 16 Mar 2024 11:26:58 +0200 Subject: [PATCH] RADIUS DAS: Move Message-Authenticator attribute to be the first one Even if this might not be strictly speaking necessary for mitigating certain RADIUS protocol attacks, be consistent with the RADIUS server behavior and move the Message-Authenticator attribute to be the first attribute in the RADIUS DAS responses from hostapd. Signed-off-by: Jouni Malinen --- src/radius/radius_das.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c index aaa3fc267..8d7c9b4c4 100644 --- a/src/radius/radius_das.c +++ b/src/radius/radius_das.c @@ -177,6 +177,11 @@ fail: if (reply == NULL) return NULL; + if (!radius_msg_add_msg_auth(reply)) { + radius_msg_free(reply); + return NULL; + } + if (error) { if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { @@ -368,6 +373,11 @@ fail: if (!reply) return NULL; + if (!radius_msg_add_msg_auth(reply)) { + radius_msg_free(reply); + return NULL; + } + if (error && !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { radius_msg_free(reply);