On Friday 08 February 2008 18:34:31 Norman Brandinger wrote:
RADIUS:
sql.conf or whatever you call it:
<snip>
WHERE acctsessionid = '%{Acct-Session-Id}' \ AND acctuniqueid = '%{Acct-Unique-Session-Id}' \ AND username = '%{SQL-User-Name}' \ AND nasipaddress = '%{NAS-IP-Address}'"</snip>
AND acctstoptime = 0
Humm, now I see that OpenSer already does it, but it's not perfect in conjunction with MediaProxy:
When OpenSer receives a BYE it sends a STOP action to radius server which does a SQL query containing:
----------------------------------------------------------- UPDATE radacct SET [...] ConnectInfo_stop = '' WHERE [...] AND ConnectInfo_stop IS NULL -----------------------------------------------------------
So if a new identical BYE is received the SQL query won't have place since "ConnectInfo_stop" now IS NOT NULL (OK).
The problem occurs if the BYE doesn't exist. Then MediaProxy sends an UPDATE action that will perform a SQL query like:
------------------------------------------------------------ UPDATE radacct SET [...] WHERE [...] ------------------------------------------------------------
This SQL doesn't set ConnectInfo_stop = '' so "ConnectInfo_stop" **remains NULL**. So then, the malicious user could send a BYE much later that will generate an STOP action and an effective SQL query.
POSSIBLE SOLUTION: ********************
MediaProxy SQL query (or FreeRadius SQL UPDATE action) does already set: MediaInfo = 'timeout'
The solution then could be setting a new clausule to STOP action:
where MediaInfo != "timeout"
In this way, if a calls ends because RTP timeout (there is not BYE) then a later malicious BYE wouldn't have effect.