From: Alan T. DeKok <aland@freeradius.org>
Date: Sun, 28 Jan 2024 14:53:44 +0000 (-0500)
Subject: clean up corner cases for decoder as found by fuzzer
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=91afeacc317ee495669adc248fd647eac8ff8d38;p=thirdparty%2Ffreeradius-server.git

clean up corner cases for decoder as found by fuzzer
---

diff --git a/src/protocols/dhcpv4/decode.c b/src/protocols/dhcpv4/decode.c
index cbbecdd175d..acf95050a34 100644
--- a/src/protocols/dhcpv4/decode.c
+++ b/src/protocols/dhcpv4/decode.c
@@ -404,6 +404,11 @@ next:
 	}
 	p++;
 
+	/*
+	 *	Pathological case of no data.
+	 */
+	if (option_len == 0) goto next;
+
 	vp = fr_pair_find_by_da(out, NULL, vendor);
 	if (!vp) {
 		vp = fr_pair_afrom_da(ctx, vendor);
@@ -413,9 +418,9 @@ next:
 	}
 
 	len = fr_pair_tlvs_from_network(vp, &vp->vp_group, vendor, p, option_len, decode_ctx, decode_option, verify_tlvs, false);
-	if (len <= 0) return len;
+	if (len < 0) return len;
 
-	p += len;
+	p += option_len;
 	if (p < end) goto next;
 
 	/*
@@ -581,13 +586,6 @@ ssize_t fr_dhcpv4_decode_option(TALLOC_CTX *ctx, fr_pair_list_t *out,
 		uint8_t *q;
 		fr_dict_attr_t const *da;
 
-		/*
-		 *	The maximum DHCPv4 packet size is 576 bytes,
-		 *	unless the other end negotiates more.
-		 */
-		if (sizeof(concat_buffer) < data_len) {
-			return -1;
-		}
 		q = concat_buffer;
 
 		for (next = data; next < end; next += 2 + next[1]) {
@@ -595,10 +593,14 @@ ssize_t fr_dhcpv4_decode_option(TALLOC_CTX *ctx, fr_pair_list_t *out,
 			if (next[0] != data[0]) break;
 			if ((next + 2 + next[1]) > end) return -1;
 
+			if ((size_t) (q + next[1] - concat_buffer) > sizeof(concat_buffer)) return -1;
+
 			memcpy(q, next + 2, next[1]);
 			q += next[1];
 		}
 
+		if (q == concat_buffer) return 0;
+
 		da = fr_dict_attr_child_by_num(fr_dict_root(dict_dhcpv4), p[0]);
 		if (!da) {
 			da = fr_dict_unknown_attr_afrom_num(packet_ctx->tmp_ctx, fr_dict_root(dict_dhcpv4), p[0]);
diff --git a/src/tests/unit/protocols/radius/foreign.txt b/src/tests/unit/protocols/radius/foreign.txt
index d4f045bc552..9c59855a0a5 100644
--- a/src/tests/unit/protocols/radius/foreign.txt
+++ b/src/tests/unit/protocols/radius/foreign.txt
@@ -2,6 +2,12 @@ proto radius
 proto-dictionary radius
 fuzzer-out radius
 
+#
+# build/fuzzer/radius/timeout-3cc5f1520bf3d7176c65a27f145675f4d2fae5ae
+# build/fuzzer/radius/timeout-a5de113a7713010a42500c7566904b615b32469f
+# build/fuzzer/radius/timeout-07ee59de0d8e62dd362140974e37e203e2abbb11
+# build/fuzzer/radius/timeout-e39e5d1c8d7a1db9a578ead41b688161a8fc0013
+#
 encode-pair Extended-Attribute-5.DHCPv4-Options := { Time-Offset = 2112 }
 match f5 0a 04 00 02 04 00 00 08 40
 
@@ -21,8 +27,23 @@ encode-pair Vendor-Specific = { Nokia-SR = { ToServer-Dhcp-Options = { Time-Offs
 match 1a ff 00 00 19 7f 66 fa 02 04 00 00 08 40 38 f0 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 1a 09 00 00 19 7f 66 04 7a
 
 #
-#  No decode as of yet
+#  No decode as of yet of concatenated DHCPv4 options
+#
+
+######################################################################
+#
+#  Various cross-protocol tests taken from fuzzer output.
 #
+decode-proto 04ac00edf504000060800402f50303f5040403f5040402f50302d604040202046000f30303f5040402f502f50302d604040202046000f30303f5040402f50302040202046000f303040402280303f54404029e0200037d2c0404040404400404040402024404029e0200007d2c04040404044004210404020202046000f30303f50202046000f303029e2c7d0402040400000303f5040402f50302040202046000f303040402280303f54404029e0200037d2c040404040440040404040404020202046000f3000000e902046000f303029eaaaaaaaaaaaaaaaaaaaaaaaa2c7d04020404009004ffff60d000032ae00400000004040303f50404
+match Packet-Type = Accounting-Request, Packet-Authentication-Vector = 0xf504000060800402f50303f5040403f5, raw.NAS-IP-Address = 0x02f5, raw.214 = 0x0402, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x02, raw.214 = 0x0402, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x02, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x04, raw.Acct-Status-Type = 0x03, Extended-Attribute-5 = { DHCPv4-Options = { PCP-IPv4-Server-Addresses = { server = { }, raw.server = 0x03 }, raw.V-I-Vendor-Specific = 0x0404040404400404040402024404029e0200007d2c04040404044004210404020202046000f30303f5020204, raw.96 = 0x, Site-specific-19 = 0x029e2c, raw.V-I-Vendor-Specific = 0x02040400 }, DHCPv4-Options = { PCP-IPv4-Server-Addresses = { server = { }, raw.server = 0x03 }, raw.V-I-Vendor-Specific.67372036 = { } } }, CHAP-Password = 0xf5, raw.NAS-IP-Address = 0x02f5, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x04, raw.Acct-Status-Type = 0x03
+
+
+decode-proto 03 12 02 00 00 00 00 00 00 03 03 03 03 02 fc 03 02 d7 00 04 04 02 02 02 03 02 3d 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 04 02 02 02 04 04 04 03 f5 04 04 02 f5 03 02 d6 04 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 04 02 02 02 04 04 04 04 04 04 04 04 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 02 02 04 04 04 04 04 04 04 04 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 9a 04 02 f5 03 03 f5 f1 04 04 04 03 f5 03 02 03 03 04 02 02 00 f3 04 60 03 03 f5 04 04 02 f5 03 03 f5 04 04 02 02 02 03 02 3d 04 60 00 f3 03 03 f5 04 03 03 f5 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 e8 03 03 02 5c 03 03 03 03 03 03 02 5c 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 02 02 04 04 04 04 04 04 04 04 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 03 03 f5 04 04 02 f5 03 03 04 02 02 02 3d 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f5 04 02 f3 03 03 04 f5 03 03 f5 04 04 02 02 02 04 04 04 03 f5 04 04 02 f5 03 02 d6 04 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 04 02 02 02 04 04 04 04 04 04 04 04 f3 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 03 03 f5 04 04 02 f5 03 03 04 02 02 04 60 00 f3 03 03 f5 04 04 02 f5 03 03 f5 04 04 02 02 02 03 02 46 04 2a 04 04 04 44 03 03 03 03 03 03 03 03 03 72
+match Packet-Type = Access-Reject, Packet-Authentication-Vector = 0x00000000000303030302fc0302d70004, raw.NAS-Port-Type = 0x6000, raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.NAS-IP-Address = 0x0403, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x02, raw.214 = 0x0402, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.NAS-IP-Address = 0x0404, raw.NAS-IP-Address = 0x0404, raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0202, raw.NAS-IP-Address = 0x0404, raw.NAS-IP-Address = 0x0404, raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, Extended-Attribute-5 = { raw.DHCPv4-Options = 0xf50303f5f104040403f50302030304020200f304600303f5040402f50303f5040402020203023d046000f30303f5040303f503030303030303030303030303030303030303e80303025c030303030303025c040402f50303040202046000f30303f5040402f50303f50402020404040404040404f30303f5040402f50303040202046000f30303f5040402f50303f5040303f5040402 }, raw.Extended-Attribute-5 = 0x03, raw.NAS-Port-Type = 0x6000, raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-5 = 0x02f3, CHAP-Password = 0x04, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.NAS-IP-Address = 0x0403, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x02, raw.214 = 0x0402, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.NAS-IP-Address = 0x0404, raw.NAS-IP-Address = 0x0404, raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0303, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.ARAP-Password = 0x2a04, raw.NAS-IP-Address = 0x4403, CHAP-Password = 0x03, CHAP-Password = 0x03, CHAP-Password = 0x72
+
+
+decode-proto 04ac00edd604040404040404040404040302d700f30303f5040402f50303f5040303f5040402f50303040202046000f30303f5040402f50303f504040202046000f30303f5040402f50303040202046000f30303f5040402f50303f5040403f5040402f50302d604040202046000f30303f5040402f50303040202046000f30303f5040402f50303f55d04002a006004040404040404f30303f5040402f50303040202046000f30303f5040402f50303f5040303f5040402f50303040202046000f30303f5040402f50303f5040402020203023d046000f30303f5040303f50304020404040404040404040404
+match Packet-Type = Accounting-Request, Packet-Authentication-Vector = 0xd604040404040404040404040302d700, raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0303, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0402, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, raw.Extended-Attribute-5 = 0x0403, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x02, raw.214 = 0x0402, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, User-Password = "\366\356", raw.Extended-Attribute-3 = 0x03, raw.Extended-Attribute-5 = 0x0402, raw.Extended-Attribute-5 = 0x03, Extended-Attribute-5 = { raw.DHCPv4-Options = 0x2a006004040404040404f30303f5040402f50303040202046000f30303f5040402f50303f5040303f5040402f50303040202046000f30303f5040402f50303f5040402020203023d046000f30303f5040303f5030402040404 }, raw.NAS-IP-Address = 0x0404, raw.NAS-IP-Address = 0x0404
 
 count
-match 13
+match 19