From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 17 Feb 2026 16:07:46 +0000 (-0500)
Subject: various bug fixes for chbind.c
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d9876979e730494d46ee4ae047fd7949cdc138e;p=thirdparty%2Ffreeradius-server.git

various bug fixes for chbind.c
---

diff --git a/src/lib/eap/chbind.c b/src/lib/eap/chbind.c
index e3a84135339..fb2881fd458 100644
--- a/src/lib/eap/chbind.c
+++ b/src/lib/eap/chbind.c
@@ -37,7 +37,7 @@ static bool chbind_build_response(request_t *request, CHBIND_REQ *chbind)
 {
 	ssize_t			slen;
 	size_t			total;
-	uint8_t			*ptr, *end;
+	uint8_t			*ptr, *start, *end;
 	fr_pair_t		const *vp;
 	fr_dcursor_t		cursor;
 
@@ -58,9 +58,9 @@ static bool chbind_build_response(request_t *request, CHBIND_REQ *chbind)
 	 *	No attributes: just send a 1-byte response code.
 	 */
 	if (!total) {
-		ptr = talloc_zero_array(chbind, uint8_t, 1);
+		ptr = start = talloc_zero_array(chbind, uint8_t, 1);
 	} else {
-		ptr = talloc_zero_array(chbind, uint8_t, total + 4);
+		ptr = start = talloc_zero_array(chbind, uint8_t, total + 4);
 	}
 	if (!ptr) return false;
 	chbind->response = (chbind_packet_t *) ptr;
@@ -94,22 +94,24 @@ static bool chbind_build_response(request_t *request, CHBIND_REQ *chbind)
 	while ((vp = fr_dcursor_current(&cursor)) && (ptr < end)) {
 		/*
 		 *	Skip things which shouldn't be in channel bindings.
-		 *	i.e. tagged, encrypted, or extended attributes
 		 */
-		if (vp->da->flags.subtype) {
+		if (vp->da->flags.internal || (!vp->da->flags.extra && vp->da->flags.subtype) ||
+		    (vp->da == attr_message_authenticator)) {
 		next:
 			fr_dcursor_next(&cursor);
 			continue;
 		}
+
 		if (vp->da == attr_message_authenticator) goto next;
 
 		slen = fr_radius_encode_pair(&FR_DBUFF_TMP(ptr, end), &cursor, NULL);
 		if (slen < 0) {
 			RPERROR("Failed encoding chbind response");
-
-			talloc_free(ptr);
+			chbind->response = NULL;
+			talloc_free(start);
 			return false;
 		}
+
 		ptr += slen;
 	}
 
@@ -191,7 +193,7 @@ fr_radius_packet_code_t chbind_process(request_t *request, CHBIND_REQ *chbind)
 
 	/* Add the username to the fake request */
 	if (chbind->username) {
-		vp = fr_pair_copy(fake->request_ctx, chbind->username);
+		MEM(vp = fr_pair_copy(fake->request_ctx, chbind->username));
 		fr_pair_append(&fake->request_pairs, vp);
 	}