From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 7 Jun 2024 14:40:10 +0000 (-0400)
Subject: double-check iterations size
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37368d10fd0da60bca2c55b39c8c2c935d7752fb;p=thirdparty%2Ffreeradius-server.git

double-check iterations size
---

diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
index 67a363fb7df..4c08019a116 100644
--- a/src/modules/rlm_pap/rlm_pap.c
+++ b/src/modules/rlm_pap/rlm_pap.c
@@ -573,6 +573,16 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse(rlm_rcode_t
 		char iterations_buff[sizeof("4294967295") + 1];
 		char *qq;
 
+		/*
+		 *	While passwords come from "trusted" sources, we don't trust them too much!
+		 */
+		if ((size_t) (q - p) >= sizeof(iterations_buff)) {
+			REMARKER((char const *) p, q - p,
+				 "Password.PBKDF2 iterations field is too large");
+
+			goto finish;
+		}
+
 		strlcpy(iterations_buff, (char const *)p, (q - p) + 1);
 
 		iterations = strtoul(iterations_buff, &qq, 10);