double-check iterations size

author Alan T. DeKok <aland@freeradius.org>

Fri, 7 Jun 2024 14:40:10 +0000 (10:40 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Fri, 7 Jun 2024 14:40:48 +0000 (10:40 -0400)
author Alan T. DeKok <aland@freeradius.org>
Fri, 7 Jun 2024 14:40:10 +0000 (10:40 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Fri, 7 Jun 2024 14:40:48 +0000 (10:40 -0400)
diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c

index 67a363fb7dfa15b5bdd8a3ac2da37a276e578651..4c08019a116636839d3cc1489c55ee6fe674cc02 100644 (file)
--- a/src/modules/rlm_pap/rlm_pap.c
+++ b/src/modules/rlm_pap/rlm_pap.c
@@ -573,6 +573,16 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t
                 char iterations_buff[sizeof("4294967295") + 1];
                 char *qq;
  
+               /*
+                *      While passwords come from "trusted" sources, we don't trust them too much!
+                */
+               if ((size_t) (q - p) >= sizeof(iterations_buff)) {
+                       REMARKER((char const *) p, q - p,
+                                "Password.PBKDF2 iterations field is too large");
+
+                       goto finish;
+               }
+
                 strlcpy(iterations_buff, (char const *)p, (q - p) + 1);
  
                 iterations = strtoul(iterations_buff, &qq, 10);
author	Alan T. DeKok <aland@freeradius.org>
	Fri, 7 Jun 2024 14:40:10 +0000 (10:40 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Fri, 7 Jun 2024 14:40:48 +0000 (10:40 -0400)