From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Wed, 27 Oct 2021 17:55:52 +0000 (-0400)
Subject: Don't use an intermediary buffer
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03d6895d0962f8cad5a2e79ee3a911ca3a339f7f;p=thirdparty%2Ffreeradius-server.git

Don't use an intermediary buffer
---

diff --git a/src/lib/util/fuzzer.c b/src/lib/util/fuzzer.c
index 5e6b8bf707c..4a014f7c29b 100644
--- a/src/lib/util/fuzzer.c
+++ b/src/lib/util/fuzzer.c
@@ -41,9 +41,8 @@ static ssize_t util_decode_proto(TALLOC_CTX *ctx, UNUSED fr_pair_list_t *out, ui
 	ssize_t rcode;
 	fr_type_t type;
 	fr_value_box_t *box;
-	uint8_t *copy;
 
-	if (data_len == 1) return data_len;
+	if (data_len < 1) return data_len;	/* We want to check zero length input too */
 
 	type = data[0];
 	switch (type) {
@@ -57,25 +56,7 @@ static ssize_t util_decode_proto(TALLOC_CTX *ctx, UNUSED fr_pair_list_t *out, ui
 	box = fr_value_box_alloc(ctx, type, NULL, true);
 	if (!box) return -1;
 
-	/*
-	 *	Copy the input, and ensure that it's zero terminated.
-	 */
-	copy = talloc_zero_array(box, uint8_t, data_len);
-	if (!copy) {
-		talloc_free(box);
-		return -1;
-	}
-	memcpy(copy, data + 1, data_len - 1);
-
-
-	/*
-	 *	Some things in fr_value_box_from_substr() don't yet respect
-	 *	data_len.  This means that if there's no zero
-	 *	termination, we _know_ there will be buffer over-runs.
-	 */
-	rcode = fr_value_box_from_str(box, box, type, NULL,
-				      (char const *)copy, data_len - 1,
-				      NULL, true);
+	rcode = fr_value_box_from_str(box, box, type, NULL, (char const *)data + 1, data_len - 1, NULL, true);
 	talloc_free(box);
 	return rcode;
 }