]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0786f21)
Check buffer as we copy data into it
authorAlan T. DeKok <aland@freeradius.org>
Fri, 4 Dec 2015 13:29:04 +0000 (08:29 -0500)
committerAlan T. DeKok <aland@freeradius.org>
Fri, 4 Dec 2015 13:29:04 +0000 (08:29 -0500)
src/modules/rlm_mschap/rlm_mschap.c patch | blob | blame | history

diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
index 94ada65acac15adbed1d33e1cf08077253b3b3c8..f3c10065d1651c26a0b5e7272a84ee31434fea81 100644 (file)
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -1668,7 +1668,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
                 */
                uint8_t         new_nt_encrypted[516], old_nt_encrypted[NT_DIGEST_LENGTH];
                VALUE_PAIR      *nt_enc=NULL;
-               int             seq, new_nt_enc_len=0;
+               int             seq, new_nt_enc_len;
                uint8_t         *p;
 
                RDEBUG("MS-CHAPv2 password change request received");
@@ -1689,6 +1689,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
                 *  06:<mschapid>:00:02:<2nd chunk>
                 *  06:<mschapid>:00:03:<3rd chunk>
                 */
+               new_nt_enc_len = 0;
                for (seq = 1; seq < 4; seq++) {
                        vp_cursor_t cursor;
                        int found = 0;
@@ -1717,12 +1718,15 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
                                return RLM_MODULE_INVALID;
                        }
 
-                       /*
-                        * copy the data into the buffer
-                        */
+                       if ((new_nt_enc_len + nt_enc->vp_length - 4)>= sizeof(new_nt_encrypted)) {
+                               REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length > 516");
+                               return RLM_MODULE_INVALID;
+                       }
+
                        memcpy(new_nt_encrypted + new_nt_enc_len, nt_enc->vp_octets + 4, nt_enc->vp_length - 4);
                        new_nt_enc_len += nt_enc->vp_length - 4;
                }
+
                if (new_nt_enc_len != 516) {
                        REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length != 516");
                        return RLM_MODULE_INVALID;
Mirror of https://github.com/FreeRADIUS/freeradius-server.git