From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 17 Jul 2023 12:28:42 +0000 (-0400)
Subject: make fr_tacacs_packet_log_hex() take and check a length field
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=623772e4bc0b4235c44019ca23b2451e819133d8;p=thirdparty%2Ffreeradius-server.git

make fr_tacacs_packet_log_hex() take and check a length field
---

diff --git a/src/protocols/tacacs/base.c b/src/protocols/tacacs/base.c
index b78c0f5f2d5..a1ee03e2b24 100644
--- a/src/protocols/tacacs/base.c
+++ b/src/protocols/tacacs/base.c
@@ -385,12 +385,19 @@ static void print_args(fr_log_t const *log, char const *file, int line, size_t a
 	}
 }
 
-void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, char const *file, int line)
+void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line)
 {
 	size_t length;
 	uint8_t const *p = (uint8_t const *) packet;
 	uint8_t const *hdr, *end, *args;
 
+	end = ((uint8_t const *) packet) + packet_len;
+
+	if (packet_len < 12) {
+		print_hex(log, file, line, "header ", p, packet_len, end);
+		return;
+	}
+
 	/*
 	 *	It has to be at least 12 bytes long.
 	 */
@@ -419,7 +426,11 @@ void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *pa
 
 	p += 12;
 	hdr = p;
-	end = hdr + length;
+
+	if ((p + length) != end) {
+		fr_log(log, L_DBG, file, line, "length field does not match input packet length %08lx", packet_len - 12);
+		return;
+	}
 
 #define OVERFLOW8(_field, _name) do { \
 	if ((p + _field) > end) { \
diff --git a/src/protocols/tacacs/decode.c b/src/protocols/tacacs/decode.c
index 649ad2cf754..d73395a8415 100644
--- a/src/protocols/tacacs/decode.c
+++ b/src/protocols/tacacs/decode.c
@@ -557,7 +557,7 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t co
 	}
 
 #ifndef NDEBUG
-	if (fr_debug_lvl >= L_DBG_LVL_4) fr_tacacs_packet_log_hex(&default_log, pkt);
+	if (fr_debug_lvl >= L_DBG_LVL_4) fr_tacacs_packet_log_hex(&default_log, pkt, (end - buffer));
 #endif
 
 	if (code) {
diff --git a/src/protocols/tacacs/encode.c b/src/protocols/tacacs/encode.c
index 6029060e9e0..cacbcac0319 100644
--- a/src/protocols/tacacs/encode.c
+++ b/src/protocols/tacacs/encode.c
@@ -978,7 +978,7 @@ ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char
 		uint8_t flags = packet->hdr.flags;
 
 		packet->hdr.flags |= FR_TAC_PLUS_UNENCRYPTED_FLAG;
-		fr_tacacs_packet_log_hex(&default_log, packet);
+		fr_tacacs_packet_log_hex(&default_log, packet, packet_len);
 		packet->hdr.flags = flags;
 	}
 #endif
diff --git a/src/protocols/tacacs/tacacs.h b/src/protocols/tacacs/tacacs.h
index 9999a31e2fa..b15b8492bf9 100644
--- a/src/protocols/tacacs/tacacs.h
+++ b/src/protocols/tacacs/tacacs.h
@@ -351,5 +351,5 @@ void		fr_tacacs_free(void);
 
 int		fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len) CC_HINT(nonnull(1,2,4));
 
-#define fr_tacacs_packet_log_hex(_log, _packet) _fr_tacacs_packet_log_hex(_log, _packet, __FILE__, __LINE__);
-void		_fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, char const *file, int line) CC_HINT(nonnull);
+#define fr_tacacs_packet_log_hex(_log, _packet, _size) _fr_tacacs_packet_log_hex(_log, _packet, _size, __FILE__, __LINE__);
+void		_fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line) CC_HINT(nonnull);