From 1f5d11bdcfee11b7228204464997508bccaf60d1 Mon Sep 17 00:00:00 2001
From: Nick Porter <nick@portercomputing.co.uk>
Date: Wed, 3 Sep 2025 13:53:13 +0100
Subject: [PATCH] Pacify Coverity (CID #1503923)

Coverity is not correctly doing the calculations inside the loop to
realise that block_len is safely limited to protect against out of
bounds access to tpasswd.
---
 src/protocols/radius/encode.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/protocols/radius/encode.c b/src/protocols/radius/encode.c
index 5432c63814..867e4b9f31 100644
--- a/src/protocols/radius/encode.c
+++ b/src/protocols/radius/encode.c
@@ -208,6 +208,16 @@ static ssize_t encode_tunnel_password(fr_dbuff_t *dbuff, fr_dbuff_marker_t *in,
 		block_len = encrypted_len - n;
 		if (block_len > AUTH_PASS_LEN) block_len = AUTH_PASS_LEN;
 
+#ifdef __COVERITY__
+		/*
+		 *	Coverity is not doing the calculations correctly - it doesn't see
+		 *	that setting block_len = encrypted_len - n puts a safe boundary
+		 *	on block_len so the access to tpasswd won't overflow.
+		 */
+		if ((block_len + 2 + n) > RADIUS_MAX_STRING_LENGTH) {
+			block_len = RADIUS_MAX_STRING_LENGTH - n - 3;
+		}
+#endif
 		for (i = 0; i < block_len; i++) tpasswd[i + 2 + n] ^= digest[i];
 	}
 
-- 
2.47.3