File 6726c165_port.patch of Package freeradius-server.14503
commit 6726c16549b131ed39f6f8886cdf5d9d922a9a97
Author: Alan T. DeKok <aland@freeradius.org>
Date: Tue Jun 27 21:54:10 2017 -0400
FR-GV-302 - do checks based on pointers, not on decoded data
because decoded data may be empty
Index: freeradius-server-3.0.3/src/lib/radius.c
===================================================================
--- freeradius-server-3.0.3.orig/src/lib/radius.c
+++ freeradius-server-3.0.3/src/lib/radius.c
@@ -2933,16 +2933,23 @@ static ssize_t data2vp_concat(RADIUS_PAC
* don't care about walking off of the end of it.
*/
while (ptr < end) {
+ if (ptr[1] < 2) return -1;
+ if ((ptr + ptr[1]) > end) return -1;
+
total += ptr[1] - 2;
ptr += ptr[1];
+ if (ptr == end) break;
+
/*
* Attributes MUST be consecutive.
*/
if (ptr[0] != attr) break;
}
+ end = ptr;
+
vp = pairalloc(packet, da);
if (!vp) return -1;
@@ -2955,7 +2962,7 @@ static ssize_t data2vp_concat(RADIUS_PAC
total = 0;
ptr = start;
- while (total < vp->length) {
+ while (ptr < end) {
memcpy(p, ptr + 2, ptr[1] - 2);
p += ptr[1] - 2;
total += ptr[1] - 2;
@@ -2963,6 +2970,7 @@ static ssize_t data2vp_concat(RADIUS_PAC
}
*pvp = vp;
+
return ptr - start;
}
Index: freeradius-server-3.0.3/src/tests/unit/rfc.txt
===================================================================
--- freeradius-server-3.0.3.orig/src/tests/unit/rfc.txt
+++ freeradius-server-3.0.3/src/tests/unit/rfc.txt
@@ -111,6 +111,18 @@ data Framed-IP-Address = 127.0.0.1
attribute Framed-IP-Address = 127.0.0.1/323
data Invalid IP address suffix "/323". Only '/32' permitted for non-prefix types
+#
+# A "concat" attribute, with no data
+#
+decode 89 02
+data PKM-SS-Cert = 0x
+
+#
+# Or with weirdly formatted data
+#
+decode 89 03 ff 89 02 89 03 fe
+data PKM-SS-Cert = 0xfffe
+
$INCLUDE errors.txt
$INCLUDE extended.txt
$INCLUDE lucent.txt
