From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 14 Oct 2021 20:06:54 +0000 (-0400)
Subject: ensure that input buffer is zero-terminated
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=522d55f3d93e55899639e5d328516daecc7903c2;p=thirdparty%2Ffreeradius-server.git

ensure that input buffer is zero-terminated
---

diff --git a/src/lib/util/fuzzer.c b/src/lib/util/fuzzer.c
index 3a5bdd604ea..82c76d19e73 100644
--- a/src/lib/util/fuzzer.c
+++ b/src/lib/util/fuzzer.c
@@ -41,6 +41,7 @@ static ssize_t util_decode_proto(TALLOC_CTX *ctx, UNUSED fr_pair_list_t *out, ui
 	ssize_t rcode;
 	fr_type_t type;
 	fr_value_box_t *box;
+	uint8_t *copy;
 
 	if (data_len == 1) return data_len;
 
@@ -56,13 +57,23 @@ static ssize_t util_decode_proto(TALLOC_CTX *ctx, UNUSED fr_pair_list_t *out, ui
 	box = fr_value_box_alloc(ctx, type, NULL, true);
 	if (!box) return -1;
 
+	/*
+	 *	Copy the input, and ensure that it's zero terminated.
+	 */
+	copy = talloc_zero_array(box, uint8_t, data_len);
+	if (!copy) {
+		talloc_free(box);
+		return -1;
+	}
+	memcpy(copy, data + 1, data_len - 1);
+
+
 	/*
 	 *	Some things in value_box_from_str() don't yet respect
-	 *	data_len.  This means that we _know_ there will be
-	 *	buffer over-runs, so some issues will have to be
-	 *	ignored for now.  :(
+	 *	data_len.  This means that if there's no zero
+	 *	termination, we _know_ there will be buffer over-runs.
 	 */
-	rcode = fr_value_box_from_str(box, box, type, NULL, (char const *) data + 1, data_len - 1, 0, true);
+	rcode = fr_value_box_from_str(box, box, type, NULL, (char const *) copy, data_len - 1, 0, true);
 	talloc_free(box);
 	return rcode;
 }