]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 37f6f0c)
check for overflow when we add the length field
authorAlan T. DeKok <aland@freeradius.org>
Thu, 23 Mar 2023 13:43:25 +0000 (09:43 -0400)
committerAlan T. DeKok <aland@freeradius.org>
Thu, 23 Mar 2023 13:43:25 +0000 (09:43 -0400)
src/lib/util/struct.c patch | blob | blame | history

diff --git a/src/lib/util/struct.c b/src/lib/util/struct.c
index efa3cd39f69dd6f6f093188ae6c09e7fe841ed53..f09f3ea215b1d4f8fc338a08a8f6029fc8d94e10 100644 (file)
--- a/src/lib/util/struct.c
+++ b/src/lib/util/struct.c
@@ -78,7 +78,7 @@ ssize_t fr_struct_from_network(TALLOC_CTX *ctx, fr_pair_list_t *out,
         *      Decode structs with length prefixes.
         */
        if (da_is_length_field(parent)) {
-               size_t struct_len, need;
+               size_t struct_len, need, new_len;
 
                if (parent->flags.subtype == FLAG_LENGTH_UINT8) {
                        need = 1;
@@ -115,7 +115,10 @@ ssize_t fr_struct_from_network(TALLOC_CTX *ctx, fr_pair_list_t *out,
                 */
                p += need;
                end = p + struct_len;
-               data_len = struct_len + need - offset;
+               new_len = struct_len + need - offset;
+               if (new_len > data_len) goto unknown;
+
+               data_len = new_len;
        }
 
        /*
Mirror of https://github.com/FreeRADIUS/freeradius-server.git