From: Alan T. DeKok Date: Fri, 4 Dec 2015 13:29:04 +0000 (-0500) Subject: Check buffer as we copy data into it X-Git-Tag: release_3_0_11~113 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95299e0f29db2912cbcd3fe5829da3ad53cf9edb;p=thirdparty%2Ffreeradius-server.git Check buffer as we copy data into it --- diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index 94ada65acac..f3c10065d16 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1668,7 +1668,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re */ uint8_t new_nt_encrypted[516], old_nt_encrypted[NT_DIGEST_LENGTH]; VALUE_PAIR *nt_enc=NULL; - int seq, new_nt_enc_len=0; + int seq, new_nt_enc_len; uint8_t *p; RDEBUG("MS-CHAPv2 password change request received"); @@ -1689,6 +1689,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re * 06::00:02:<2nd chunk> * 06::00:03:<3rd chunk> */ + new_nt_enc_len = 0; for (seq = 1; seq < 4; seq++) { vp_cursor_t cursor; int found = 0; @@ -1717,12 +1718,15 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re return RLM_MODULE_INVALID; } - /* - * copy the data into the buffer - */ + if ((new_nt_enc_len + nt_enc->vp_length - 4)>= sizeof(new_nt_encrypted)) { + REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length > 516"); + return RLM_MODULE_INVALID; + } + memcpy(new_nt_encrypted + new_nt_enc_len, nt_enc->vp_octets + 4, nt_enc->vp_length - 4); new_nt_enc_len += nt_enc->vp_length - 4; } + if (new_nt_enc_len != 516) { REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length != 516"); return RLM_MODULE_INVALID;