From: Nick Porter <nick@portercomputing.co.uk>
Date: Wed, 3 Sep 2025 12:53:13 +0000 (+0100)
Subject: Pacify Coverity (CID #1503923)
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f5d11bdcfee11b7228204464997508bccaf60d1;p=thirdparty%2Ffreeradius-server.git

Pacify Coverity (CID #1503923)

Coverity is not correctly doing the calculations inside the loop to
realise that block_len is safely limited to protect against out of
bounds access to tpasswd.
---

diff --git a/src/protocols/radius/encode.c b/src/protocols/radius/encode.c
index 5432c63814..867e4b9f31 100644
--- a/src/protocols/radius/encode.c
+++ b/src/protocols/radius/encode.c
@@ -208,6 +208,16 @@ static ssize_t encode_tunnel_password(fr_dbuff_t *dbuff, fr_dbuff_marker_t *in,
 		block_len = encrypted_len - n;
 		if (block_len > AUTH_PASS_LEN) block_len = AUTH_PASS_LEN;
 
+#ifdef __COVERITY__
+		/*
+		 *	Coverity is not doing the calculations correctly - it doesn't see
+		 *	that setting block_len = encrypted_len - n puts a safe boundary
+		 *	on block_len so the access to tpasswd won't overflow.
+		 */
+		if ((block_len + 2 + n) > RADIUS_MAX_STRING_LENGTH) {
+			block_len = RADIUS_MAX_STRING_LENGTH - n - 3;
+		}
+#endif
 		for (i = 0; i < block_len; i++) tpasswd[i + 2 + n] ^= digest[i];
 	}