limit child allocation depth to MAX_TLV_STACK

author Alan T. DeKok <aland@freeradius.org>

Tue, 31 Oct 2023 19:36:23 +0000 (15:36 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Tue, 31 Oct 2023 19:36:23 +0000 (15:36 -0400)
author Alan T. DeKok <aland@freeradius.org>
Tue, 31 Oct 2023 19:36:23 +0000 (15:36 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Tue, 31 Oct 2023 19:36:23 +0000 (15:36 -0400)
diff --git a/src/lib/util/dict_unknown.c b/src/lib/util/dict_unknown.c

index 3361450582be513b441fd3ba50af5958f4d5596f..3565d579bb7c7962efd95c37dc41566959047daf 100644 (file)
--- a/src/lib/util/dict_unknown.c
+++ b/src/lib/util/dict_unknown.c
@@ -324,6 +324,11 @@ fr_dict_attr_t *fr_dict_unknown_tlv_afrom_num(TALLOC_CTX *ctx, fr_dict_attr_t co
                 return NULL;
         }
  
+       if (parent->depth >= FR_DICT_MAX_TLV_STACK) {
+               fr_strerror_const("Attribute depth is too large");
+               return NULL;
+       }
+
         return dict_attr_alloc(ctx, parent, NULL, num, FR_TYPE_TLV,
                                &(dict_attr_args_t){ .flags = &flags });
  }
@@ -353,6 +358,11 @@ fr_dict_attr_t     *fr_dict_unknown_attr_afrom_num(TALLOC_CTX *ctx, fr_dict_attr_t c
                 return NULL;
         }
  
+       if (parent->depth >= FR_DICT_MAX_TLV_STACK) {
+               fr_strerror_const("Attribute depth is too large");
+               return NULL;
+       }
+
         return dict_attr_alloc(ctx, parent, NULL, num, FR_TYPE_OCTETS,
                                &(dict_attr_args_t){ .flags = &flags });
  }
author	Alan T. DeKok <aland@freeradius.org>
	Tue, 31 Oct 2023 19:36:23 +0000 (15:36 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Tue, 31 Oct 2023 19:36:23 +0000 (15:36 -0400)