Catch more corner cases

Memory leak in esoteric circumstances.

"long" data wasn't handled properly.

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 8bdb9fd58f6ca46677e42332197a0a2a9d41d9d2..c559e02d032932c7c6b489e0ab6b7e51eb242433 100644 (file)
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -2825,6 +2825,31 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet,
                                    data, length, pvp);
        }
 
+       /*
+        *      The data is very long.
+        */
+       if (length > sizeof(vp->vp_octets)) {
+               /*
+                *      Long encrypted attributes are forbidden.
+                */
+               if (da->flags.encrypt != FLAG_ENCRYPT_NONE) goto raw;
+
+#ifndef NDEBUG
+               /*
+                *      Catch programming errors.
+                */
+               if ((da->type != PW_TYPE_STRING) &&
+                   (da->type != PW_TYPE_OCTETS)) goto raw;
+
+#endif
+
+               /*
+                *      FIXME: Figure out how to deal with long
+                *      strings and binary data!
+                */
+               goto raw;
+       }
+
        /*
         *      The attribute is known, and well formed.  We can now
         *      create it.  The main failure from here on in is being
@@ -3325,6 +3350,7 @@ static ssize_t data2vp_continued(const RADIUS_PACKET *packet,
        while (left > 0) {
 #ifndef NDEBUG
                if (data >= (start + length)) {
+                       free(attr);
                        fr_strerror_printf("data2vp_continued: Internal sanity check failed");
                        return -1;
                }