Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
freeradius-server
CVE-2022-41860.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-41860.patch of Package freeradius-server
based on commit f1cdbb33ec61c4a64a32e107d4d02f936051c708 Author: Alan T. DeKok <aland@freeradius.org> Date: Mon Feb 7 22:26:05 2022 -0500 it's probably wrong to be completely retarded. Let's fix that. Index: freeradius-server-3.0.3/src/modules/rlm_eap/libeap/eapsimlib.c =================================================================== --- freeradius-server-3.0.3.orig/src/modules/rlm_eap/libeap/eapsimlib.c +++ freeradius-server-3.0.3/src/modules/rlm_eap/libeap/eapsimlib.c @@ -318,6 +318,12 @@ int unmap_eapsim_basictypes(RADIUS_PACKE return 0; } + if (!attr[1]) { + fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute, + es_attribute_count); + return 0; + } + eapsim_attribute = attr[0]; eapsim_len = attr[1] * 4; @@ -328,21 +334,36 @@ int unmap_eapsim_basictypes(RADIUS_PACKE return 0; } - if(eapsim_len > MAX_STRING_LEN) { - eapsim_len = MAX_STRING_LEN; - } - if (eapsim_len < 2) { - ERROR("eap: EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, - es_attribute_count); - return 0; - } + newvp = paircreate(r, eapsim_attribute + ATTRIBUTE_EAP_SIM_BASE, 0); + if (!newvp) { + /* + * RFC 4186 Section 8.1 says 0..127 are + * "non-skippable". If one such + * attribute is found and we don't + * understand it, the server has to send: + * + * EAP-Request/SIM/Notification packet with an + * (AT_NOTIFICATION code, which implies general failure ("General + * failure after authentication" (0), or "General failure" (16384), + * depending on the phase of the exchange), which terminates the + * authentication exchange. + */ + if (eapsim_attribute <= 127) { + fr_strerror_printf("Unknown mandatory attribute %d, failing", + eapsim_attribute); + return 0; + } + } else { + /* + * It's known, ccount for header, and + * copy the value over. + */ + newvp->length = eapsim_len - 2; + newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->length); + memcpy(p, &attr[2], newvp->length); + pairadd(&(r->vps), newvp); + } - newvp = paircreate(r, eapsim_attribute+ATTRIBUTE_EAP_SIM_BASE, 0); - newvp->length = eapsim_len-2; - newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->length); - memcpy(p, &attr[2], eapsim_len-2); - pairadd(&(r->vps), newvp); - newvp = NULL; /* advance pointers, decrement length */ attr += eapsim_len;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor