From 019e35431db17661aa1d74d995fd0315af9a8dbf Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Tue, 27 Jun 2017 21:54:10 -0400 Subject: [PATCH] FR-GV-302 - do checks based on pointers, not on decoded data because decoded data may be empty --- src/lib/radius.c | 10 +++++++++- src/tests/unit/rfc.txt | 12 ++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/lib/radius.c b/src/lib/radius.c index ad6b15b46..7114e1650 100644 --- a/src/lib/radius.c +++ b/src/lib/radius.c @@ -2952,16 +2952,23 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx, * don't care about walking off of the end of it. */ while (ptr < end) { + if (ptr[1] < 2) return -1; + if ((ptr + ptr[1]) > end) return -1; + total += ptr[1] - 2; ptr += ptr[1]; + if (ptr == end) break; + /* * Attributes MUST be consecutive. */ if (ptr[0] != attr) break; } + end = ptr; + vp = fr_pair_afrom_da(ctx, da); if (!vp) return -1; @@ -2974,7 +2981,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx, total = 0; ptr = start; - while (total < vp->vp_length) { + while (ptr < end) { memcpy(p, ptr + 2, ptr[1] - 2); p += ptr[1] - 2; total += ptr[1] - 2; @@ -2982,6 +2989,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx, } *pvp = vp; + return ptr - start; } diff --git a/src/tests/unit/rfc.txt b/src/tests/unit/rfc.txt index 00247940b..d870975e3 100644 --- a/src/tests/unit/rfc.txt +++ b/src/tests/unit/rfc.txt @@ -178,6 +178,18 @@ data Failed to parse IPv4 address string "256/8" attribute PMIP6-Home-IPv4-HoA = bob/8 data Failed to parse IPv4 address string "bob/8" +# +# A "concat" attribute, with no data +# +decode 89 02 +data PKM-SS-Cert = 0x + +# +# Or with weirdly formatted data +# +decode 89 03 ff 89 02 89 03 fe +data PKM-SS-Cert = 0xfffe + $INCLUDE tunnel.txt $INCLUDE errors.txt $INCLUDE extended.txt -- 2.13.2