check EAP header byte 0, too, and add debug messages

author Alan T. DeKok <aland@freeradius.org>

Wed, 29 Mar 2023 08:05:11 +0000 (17:05 +0900)

committer Alan T. DeKok <aland@freeradius.org>

Wed, 29 Mar 2023 08:05:11 +0000 (17:05 +0900)
author Alan T. DeKok <aland@freeradius.org>
Wed, 29 Mar 2023 08:05:11 +0000 (17:05 +0900)
committer Alan T. DeKok <aland@freeradius.org>
Wed, 29 Mar 2023 08:05:11 +0000 (17:05 +0900)
diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c

index 03a3f7d641c5c4a30e1a255756a541e9711d089a..9a5ea0095510c05986263130b663be9f440713a2 100644 (file)
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -571,12 +571,24 @@ static rlm_rcode_t CC_HINT(nonnull) mod_pre_proxy(void *instance, REQUEST *reque
  
         if (vp->vp_length < 4) return RLM_MODULE_NOOP;
  
+       if ((vp->vp_octets[0] == 0) ||( vp->vp_octets[0] > 6)) {
+               RDEBUG("EAP header byte zero has invalid value");
+               return RLM_MODULE_REJECT;
+       }
+
         length = (vp->vp_octets[2] << 8) | vp->vp_octets[3];
-       if (length != vp->vp_length) return RLM_MODULE_REJECT;
+       if (length != vp->vp_length) {
+               RDEBUG("EAP length does not match attribute length");
+               return RLM_MODULE_REJECT;
+       }
  
+       if (vp->vp_octets[0] != PW_EAP_REQUEST) return RLM_MODULE_NOOP;
         if (!inst->max_eap_type) return RLM_MODULE_NOOP;
  
-       if (vp->vp_octets[4] > inst->max_eap_type) return RLM_MODULE_REJECT;
+       if (vp->vp_octets[4] > inst->max_eap_type) {
+               RDEBUG("EAP method %u is too large", vp->vp_octets[0]);
+               return RLM_MODULE_REJECT;
+       }
  
         return RLM_MODULE_NOOP;
  }
author	Alan T. DeKok <aland@freeradius.org>
	Wed, 29 Mar 2023 08:05:11 +0000 (17:05 +0900)
committer	Alan T. DeKok <aland@freeradius.org>
	Wed, 29 Mar 2023 08:05:11 +0000 (17:05 +0900)