From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 18 Feb 2022 13:31:31 +0000 (-0500)
Subject: check length before using it.  Fixes fuzzer
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5906bfa14c9e2b7a73b540c09b42d9f02e33d708;p=thirdparty%2Ffreeradius-server.git

check length before using it.  Fixes fuzzer
---

diff --git a/src/protocols/radius/abinary.c b/src/protocols/radius/abinary.c
index 4ef0aee3a90..e8f6a283a2b 100644
--- a/src/protocols/radius/abinary.c
+++ b/src/protocols/radius/abinary.c
@@ -1453,20 +1453,28 @@ ssize_t fr_radius_decode_abinary(fr_pair_t *vp, uint8_t const *data, size_t data
 
 	case ASCEND_FILTER_GENERIC:
 	{
-		int count;
+		size_t i, len;
+
+		/*
+		 *	Why is len 16 bits, when the masks are only 6 bytes?
+		 */
+		len = ntohs(filter->generic.len);
+		if (len >= sizeof(filter->generic.mask)) {
+			return -size;
+		}
 
 		FR_SBUFF_IN_SPRINTF_RETURN(&sbuff, " %u ", (unsigned int) ntohs(filter->generic.offset));
 
 		/* show the mask */
-		for (count = 0; count < ntohs(filter->generic.len); count++) {
-			FR_SBUFF_IN_SPRINTF_RETURN(&sbuff, "%02x", filter->generic.mask[count]);
+		for (i = 0; i < len; i++) {
+			FR_SBUFF_IN_SPRINTF_RETURN(&sbuff, "%02x", filter->generic.mask[i]);
 		}
 
 		FR_SBUFF_IN_STRCPY_RETURN(&sbuff, " ");
 
 		/* show the value */
-		for (count = 0; count < ntohs(filter->generic.len); count++) {
-			FR_SBUFF_IN_SPRINTF_RETURN(&sbuff, "%02x", filter->generic.value[count]);
+		for (i = 0; i < len; i++) {
+			FR_SBUFF_IN_SPRINTF_RETURN(&sbuff, "%02x", filter->generic.value[i]);
 		}
 
 		FR_SBUFF_IN_SPRINTF_RETURN(&sbuff, " %s", (filter->generic.compNeq) ? "!=" : "==");