Overview

File CVE-2022-41860.patch of Package freeradius-server.27524

based on

commit f1cdbb33ec61c4a64a32e107d4d02f936051c708
Author: Alan T. DeKok <aland@freeradius.org>
Date:   Mon Feb 7 22:26:05 2022 -0500

    it's probably wrong to be completely retarded.  Let's fix that.

Index: freeradius-server-3.0.3/src/modules/rlm_eap/libeap/eapsimlib.c
===================================================================
--- freeradius-server-3.0.3.orig/src/modules/rlm_eap/libeap/eapsimlib.c
+++ freeradius-server-3.0.3/src/modules/rlm_eap/libeap/eapsimlib.c
@@ -318,6 +318,12 @@ int unmap_eapsim_basictypes(RADIUS_PACKE
 			return 0;
 		}
 
+       if (!attr[1]) {
+           fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
+                      es_attribute_count);
+           return 0;
+       }
+
 		eapsim_attribute = attr[0];
 		eapsim_len = attr[1] * 4;
 
@@ -328,21 +334,36 @@ int unmap_eapsim_basictypes(RADIUS_PACKE
 			return 0;
 		}
 
-		if(eapsim_len > MAX_STRING_LEN) {
-			eapsim_len = MAX_STRING_LEN;
-		}
-		if (eapsim_len < 2) {
-			ERROR("eap: EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
-			      es_attribute_count);
-			       return 0;
-		}
+       newvp = paircreate(r, eapsim_attribute + ATTRIBUTE_EAP_SIM_BASE, 0);
+       if (!newvp) {
+           /*
+            *  RFC 4186 Section 8.1 says 0..127 are
+            *  "non-skippable".  If one such
+            *  attribute is found and we don't
+            *  understand it, the server has to send:
+            *
+            *  EAP-Request/SIM/Notification packet with an
+            *  (AT_NOTIFICATION code, which implies general failure ("General
+            *  failure after authentication" (0), or "General failure" (16384),
+            *  depending on the phase of the exchange), which terminates the
+            *  authentication exchange.
+            */
+           if (eapsim_attribute <= 127) {
+               fr_strerror_printf("Unknown mandatory attribute %d, failing",
+                          eapsim_attribute);
+               return 0;
+           }
+       } else {
+           /*
+            *  It's known, ccount for header, and
+            *  copy the value over.
+            */
+           newvp->length = eapsim_len - 2;
+           newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->length);
+           memcpy(p, &attr[2], newvp->length);
+           pairadd(&(r->vps), newvp);
+       }
 
-		newvp = paircreate(r, eapsim_attribute+ATTRIBUTE_EAP_SIM_BASE, 0);
-		newvp->length = eapsim_len-2;
-		newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->length);
-		memcpy(p, &attr[2], eapsim_len-2);
-		pairadd(&(r->vps), newvp);
-		newvp = NULL;
 
 		/* advance pointers, decrement length */
 		attr += eapsim_len;
openSUSE Build Service is sponsored by
Places