From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Wed, 26 Jan 2022 19:25:19 +0000 (-0600)
Subject: Same deal with fr_value_box_memdup
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b9f330aa215e43b4262cef62958ae700d1b0f56;p=thirdparty%2Ffreeradius-server.git

Same deal with fr_value_box_memdup
---

diff --git a/src/lib/util/pair.c b/src/lib/util/pair.c
index 9ae962cb64..64a2a57c4e 100644
--- a/src/lib/util/pair.c
+++ b/src/lib/util/pair.c
@@ -2293,23 +2293,27 @@ int fr_pair_value_mem_realloc(fr_pair_t *vp, uint8_t **out, size_t size)
  *
  * @param[in,out] vp	to update
  * @param[in] src	data to copy
- * @param[in] size	of the data.
+ * @param[in] len	of the data.
  * @param[in] tainted	Whether the value came from a trusted source.
  * @return
  *      - 0 on success.
  *	- -1 on failure.
  */
-int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t size, bool tainted)
+int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
 {
 	int ret;
 
+	if (unlikely((len > 0) && !src)) {
+		fr_strerror_printf("Invalid arguments to %s.  Len > 0 (%zu) but src string was NULL",
+				   __FUNCTION__, len);
+		return -1;
+	}
+
 	if (!fr_cond_assert(vp->da->type == FR_TYPE_OCTETS)) return -1;
 
 	fr_value_box_clear(&vp->data);	/* Free any existing buffers */
-	ret = fr_value_box_memdup(vp, &vp->data, vp->da, src, size, tainted);
-	if (ret == 0) {
-		PAIR_VERIFY(vp);
-	}
+	ret = fr_value_box_memdup(vp, &vp->data, vp->da, src, len, tainted);
+	if (ret == 0) PAIR_VERIFY(vp);
 
 	return ret;
 }
diff --git a/src/lib/util/value.c b/src/lib/util/value.c
index e201d36e4f..e348ed180a 100644
--- a/src/lib/util/value.c
+++ b/src/lib/util/value.c
@@ -4116,6 +4116,12 @@ int fr_value_box_memdup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t con
 {
 	uint8_t *bin;
 
+	if (unlikely((len > 0) && !src)) {
+		fr_strerror_printf("Invalid arguments to %s.  Len > 0 (%zu) but src was NULL",
+				   __FUNCTION__, len);
+		return -1;
+	}
+
 	bin = talloc_memdup(ctx, src, len);
 	if (!bin) {
 		fr_strerror_const("Failed allocating octets buffer");
diff --git a/src/lib/util/value.h b/src/lib/util/value.h
index 2623a93eaa..8eb9bf63c8 100644
--- a/src/lib/util/value.h
+++ b/src/lib/util/value.h
@@ -838,7 +838,7 @@ int		fr_value_box_mem_realloc(TALLOC_CTX *ctx, uint8_t **out, fr_value_box_t *ds
 
 int		fr_value_box_memdup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv,
 				    uint8_t const *src, size_t len, bool tainted)
-		CC_HINT(nonnull(2,4));
+		CC_HINT(nonnull(2)); /* src may be NULL if len == 0 */
 
 int		fr_value_box_memdup_dbuff(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv,
 					  fr_dbuff_t *dbuff, size_t len, bool tainted)