From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 17 Mar 2022 12:04:09 +0000 (-0400)
Subject: arrays eat up the rest of the struct
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=541e262e7457be407ced279de9051066834b2b68;p=thirdparty%2Ffreeradius-server.git

arrays eat up the rest of the struct

and avoid overflow in length checks.

and assert that single values we're decoding manually aren't arrays,
becuse we need extra code to handle that.
---

diff --git a/src/lib/util/struct.c b/src/lib/util/struct.c
index 8e1a8f8a231..372351a6151 100644
--- a/src/lib/util/struct.c
+++ b/src/lib/util/struct.c
@@ -242,12 +242,16 @@ ssize_t fr_struct_from_network(TALLOC_CTX *ctx, fr_pair_list_t *out,
 		 *	If this field overflows the input, then *all*
 		 *	of the input is suspect.
 		 */
-		if ((p + child_length) > end) {
+		if (child_length > (size_t) (end - p)) {
 			FR_PROTO_TRACE("fr_struct_from_network - child length %zd overflows buffer", child_length);
 			goto unknown;
 		}
 
-		if (!child_length) child_length = (end - p);
+		/*
+		 *	The child is variable sized, OR it's an array.
+		 *	Eat up the rest of the data.
+		 */
+		if (!child_length || (child->flags.array)) child_length = (end - p);
 
 		/*
 		 *	Magic values get the callback called.
@@ -283,6 +287,11 @@ ssize_t fr_struct_from_network(TALLOC_CTX *ctx, fr_pair_list_t *out,
 			break;
 		}
 
+		/*
+		 *	We don't handle this yet here.
+		 */
+		fr_assert(!child->flags.array);
+
 		vp = fr_pair_afrom_da(child_ctx, child);
 		if (!vp) {
 			FR_PROTO_TRACE("fr_struct_from_network - failed allocating child VP");