From: Alan T. DeKok <aland@freeradius.org>
Date: Sat, 21 May 2011 06:53:19 +0000 (+0200)
Subject: Catch more corner cases
X-Git-Tag: release_3_0_0_beta0~815
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a33739872bf68276b5872807587e9e051903a26;p=thirdparty%2Ffreeradius-server.git

Catch more corner cases

Memory leak in esoteric circumstances.

"long" data wasn't handled properly.
---

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 8bdb9fd58f6..c559e02d032 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -2825,6 +2825,31 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet,
 				    data, length, pvp);
 	}
 
+	/*
+	 *	The data is very long.
+	 */
+	if (length > sizeof(vp->vp_octets)) {
+		/*
+		 *	Long encrypted attributes are forbidden.
+		 */
+		if (da->flags.encrypt != FLAG_ENCRYPT_NONE) goto raw;
+
+#ifndef NDEBUG
+		/*
+		 *	Catch programming errors.
+		 */
+		if ((da->type != PW_TYPE_STRING) &&
+		    (da->type != PW_TYPE_OCTETS)) goto raw;
+
+#endif
+
+		/*
+		 *	FIXME: Figure out how to deal with long
+		 *	strings and binary data!
+		 */
+		goto raw;
+	}
+
 	/*
 	 *	The attribute is known, and well formed.  We can now
 	 *	create it.  The main failure from here on in is being
@@ -3325,6 +3350,7 @@ static ssize_t data2vp_continued(const RADIUS_PACKET *packet,
 	while (left > 0) {
 #ifndef NDEBUG
 		if (data >= (start + length)) {
+			free(attr);
 			fr_strerror_printf("data2vp_continued: Internal sanity check failed");
 			return -1;
 		}