From 019e35431db17661aa1d74d995fd0315af9a8dbf Mon Sep 17 00:00:00 2001

From: "Alan T. DeKok" <aland@freeradius.org>

Date: Tue, 27 Jun 2017 21:54:10 -0400

Subject: [PATCH] FR-GV-302 - do checks based on pointers, not on decoded data

because decoded data may be empty

---

 src/lib/radius.c       | 10 +++++++++-

 src/tests/unit/rfc.txt | 12 ++++++++++++

 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/lib/radius.c b/src/lib/radius.c

index ad6b15b46..7114e1650 100644

--- a/src/lib/radius.c

+++ b/src/lib/radius.c

@@ -2952,16 +2952,23 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx,

 	 *	don't care about walking off of the end of it.

 	 */

 	while (ptr < end) {

+		if (ptr[1] < 2) return -1;

+		if ((ptr + ptr[1]) > end) return -1;

+

 		total += ptr[1] - 2;

 		ptr += ptr[1];

+		if (ptr == end) break;

+

 		/*

 		 *	Attributes MUST be consecutive.

 		 */

 		if (ptr[0] != attr) break;

 	}

+	end = ptr;

+

 	vp = fr_pair_afrom_da(ctx, da);

 	if (!vp) return -1;

@@ -2974,7 +2981,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx,

 	total = 0;

 	ptr = start;

-	while (total < vp->vp_length) {

+	while (ptr < end) {

 		memcpy(p, ptr + 2, ptr[1] - 2);

 		p += ptr[1] - 2;

 		total += ptr[1] - 2;

@@ -2982,6 +2989,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx,

 	}

 	*pvp = vp;

+

 	return ptr - start;

 }

diff --git a/src/tests/unit/rfc.txt b/src/tests/unit/rfc.txt

index 00247940b..d870975e3 100644

--- a/src/tests/unit/rfc.txt

+++ b/src/tests/unit/rfc.txt

@@ -178,6 +178,18 @@ data Failed to parse IPv4 address string "256/8"

 attribute PMIP6-Home-IPv4-HoA = bob/8

 data Failed to parse IPv4 address string "bob/8"

+#

+#  A "concat" attribute, with no data

+#

+decode 89 02

+data PKM-SS-Cert = 0x

+

+#

+#  Or with weirdly formatted data

+#

+decode 89 03 ff 89 02 89 03 fe

+data PKM-SS-Cert = 0xfffe

+

 $INCLUDE tunnel.txt

 $INCLUDE errors.txt

 $INCLUDE extended.txt

-- 

2.13.2