too long lengths are encode errors

author Alan T. DeKok <aland@freeradius.org>

Sat, 25 Feb 2023 14:51:04 +0000 (09:51 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 27 Feb 2023 14:12:26 +0000 (09:12 -0500)
author Alan T. DeKok <aland@freeradius.org>
Sat, 25 Feb 2023 14:51:04 +0000 (09:51 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 27 Feb 2023 14:12:26 +0000 (09:12 -0500)
diff --git a/src/lib/util/struct.c b/src/lib/util/struct.c

index 1bc13fbc76a67985324e99de695e450ecc139252..b73b80e4c7b594560b895ae3c8827e12bea32bfc 100644 (file)
--- a/src/lib/util/struct.c
+++ b/src/lib/util/struct.c
@@ -111,6 +111,10 @@ ssize_t fr_struct_from_network(TALLOC_CTX *ctx, fr_pair_list_t *out,
                 data_len = struct_len + need;
         }
  
+       /*
+        *      @todo - If the struct is truncated on a MEMBER boundary, we silently omit
+        *      the trailing members.  Maybe this should be an error?
+        */
         while (p < end) {
                 size_t child_length;
  
@@ -802,10 +806,20 @@ done:
         }
  
         if (do_length) {
+               uint16_t length = fr_dbuff_used(&work_dbuff);
+
                 if (parent->flags.subtype == FLAG_LENGTH_UINT8) {
-                       (void) fr_dbuff_in(&hdr, (uint8_t) (fr_dbuff_used(&work_dbuff) - 1));
+                       length -= 1;
+
+                       if (length > UINT8_MAX) return -1;
+
+                       (void) fr_dbuff_in(&hdr, (uint8_t) length);
                 } else {
-                       (void) fr_dbuff_in(&hdr, (uint16_t) (fr_dbuff_used(&work_dbuff) - 2));
+                       length -= 2;
+
+                       if (length > UINT16_MAX) return -1;
+
+                       (void) fr_dbuff_in(&hdr, (uint16_t) length);
                 }
         }
author	Alan T. DeKok <aland@freeradius.org>
	Sat, 25 Feb 2023 14:51:04 +0000 (09:51 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 27 Feb 2023 14:12:26 +0000 (09:12 -0500)