rpms / freeradius

Clone
Source Code
GIT

Blame SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-3.0 c8-stream-3.0 c8s-stream-3.0 c9 c9-beta
  1.   c8-beta-stream-3.0
  2.   SOURCES
  3.   freeradius-fix-crash-on-invalid-abinary-data.patch
Blob History Raw
52ecbf 
From: Antonio Torres <antorres@redhat.com>
52ecbf 
Date: Fri, 09 Dec 2022
52ecbf 
Subject: Fix crash on invalid abinary data
52ecbf
52ecbf 
A malicious RADIUS client or home server can send a malformed abinary
52ecbf 
attribute which can cause the server to crash.
52ecbf
52ecbf 
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
52ecbf
52ecbf 
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
52ecbf 
Signed-off-by: Antonio Torres <antorres@redhat.com>
52ecbf 
---
52ecbf 
diff --git a/src/lib/filters.c b/src/lib/filters.c
52ecbf 
index 4868cd385d9f..3f3b63daeef3 100644
52ecbf 
--- a/src/lib/filters.c
52ecbf 
+++ b/src/lib/filters.c
52ecbf 
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
52ecbf 
 			}
52ecbf 
 		}
52ecbf 
 	} else if (filter->type == RAD_FILTER_GENERIC) {
52ecbf 
-		int count;
52ecbf 
+		size_t count, masklen;
52ecbf 
+
52ecbf 
+		masklen = ntohs(filter->u.generic.len);
52ecbf 
+		if (masklen >= sizeof(filter->u.generic.mask)) {
52ecbf 
+			*p = '\0';
52ecbf 
+			return;
52ecbf 
+		}
52ecbf
52ecbf 
 		i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
52ecbf 
 		p += i;
52ecbf
52ecbf 
 		/* show the mask */
52ecbf 
-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
52ecbf 
+		for (count = 0; count < masklen; count++) {
52ecbf 
 			i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
52ecbf 
 			p += i;
52ecbf 
 			outlen -= i;
52ecbf 
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
52ecbf 
 		outlen--;
52ecbf
52ecbf 
 		/* show the value */
52ecbf 
-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
52ecbf 
+		for (count = 0; count < masklen; count++) {
52ecbf 
 			i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
52ecbf 
 			p += i;
52ecbf 
 			outlen -= i;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation