From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 31 Oct 2023 19:36:23 +0000 (-0400)
Subject: limit child allocation depth to MAX_TLV_STACK
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09ff0b4970209958d61f2531e2f3cb624c344bbf;p=thirdparty%2Ffreeradius-server.git

limit child allocation depth to MAX_TLV_STACK
---

diff --git a/src/lib/util/dict_unknown.c b/src/lib/util/dict_unknown.c
index 3361450582b..3565d579bb7 100644
--- a/src/lib/util/dict_unknown.c
+++ b/src/lib/util/dict_unknown.c
@@ -324,6 +324,11 @@ fr_dict_attr_t *fr_dict_unknown_tlv_afrom_num(TALLOC_CTX *ctx, fr_dict_attr_t co
 		return NULL;
 	}
 
+	if (parent->depth >= FR_DICT_MAX_TLV_STACK) {
+		fr_strerror_const("Attribute depth is too large");
+		return NULL;
+	}
+
 	return dict_attr_alloc(ctx, parent, NULL, num, FR_TYPE_TLV,
 			       &(dict_attr_args_t){ .flags = &flags });
 }
@@ -353,6 +358,11 @@ fr_dict_attr_t	*fr_dict_unknown_attr_afrom_num(TALLOC_CTX *ctx, fr_dict_attr_t c
 		return NULL;
 	}
 
+	if (parent->depth >= FR_DICT_MAX_TLV_STACK) {
+		fr_strerror_const("Attribute depth is too large");
+		return NULL;
+	}
+
 	return dict_attr_alloc(ctx, parent, NULL, num, FR_TYPE_OCTETS,
 			       &(dict_attr_args_t){ .flags = &flags });
 }