check for fragment with insufficient room for header

author Alan T. DeKok <aland@freeradius.org>

Fri, 9 Feb 2024 14:49:50 +0000 (09:49 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Fri, 9 Feb 2024 14:49:50 +0000 (09:49 -0500)
author Alan T. DeKok <aland@freeradius.org>
Fri, 9 Feb 2024 14:49:50 +0000 (09:49 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Fri, 9 Feb 2024 14:49:50 +0000 (09:49 -0500)
diff --git a/src/protocols/radius/decode.c b/src/protocols/radius/decode.c

index 8ef039f3867596acb87dc51b63dd148ec0fad9df..d7faf796573bb693ef0f93f4d81f82f91437c6dc 100644 (file)
--- a/src/protocols/radius/decode.c
+++ b/src/protocols/radius/decode.c
@@ -887,7 +887,7 @@ static ssize_t decode_extended_fragments(TALLOC_CTX *ctx, fr_pair_list_t *out,
         last_frag = false;
  
         while (frag < end) {
-               if (last_frag ||
+               if (last_frag || ((end - frag) < 2) ||
                     (frag[0] != attr[0]) ||
                     (frag[1] < 4) ||                   /* too short for long-extended */
                     (frag[2] != attr[2]) ||
author	Alan T. DeKok <aland@freeradius.org>
	Fri, 9 Feb 2024 14:49:50 +0000 (09:49 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Fri, 9 Feb 2024 14:49:50 +0000 (09:49 -0500)