From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 9 Dec 2025 14:59:39 +0000 (-0500)
Subject: don't create "raw" attributes with invalid numbers
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ea6600eee66768b2a9f4d54ac87fd9b3f1f04d8;p=thirdparty%2Ffreeradius-server.git

don't create "raw" attributes with invalid numbers

they should be limited by the protocol type_size.

Update cbor tests to match.
---

diff --git a/src/lib/util/cbor.c b/src/lib/util/cbor.c
index c0bbfeb29b5..88f32a7ea03 100644
--- a/src/lib/util/cbor.c
+++ b/src/lib/util/cbor.c
@@ -1690,12 +1690,11 @@ ssize_t fr_cbor_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dbuff_t *db
 		 *	data types.
 		 */
 		da = fr_dict_attr_unknown_typed_afrom_num(ctx, parent, value, type);
-		if (!da) goto oom;
+		if (!da) return -fr_dbuff_used(&work_dbuff);
 	}
 
 	vp = fr_pair_afrom_da(ctx, da);
 	if (!vp) {
-	oom:
 		fr_strerror_const("Out of memory");
 		return -fr_dbuff_used(&work_dbuff);
 	}
diff --git a/src/lib/util/dict_unknown.c b/src/lib/util/dict_unknown.c
index 89ffc7a33df..8834ef15f3c 100644
--- a/src/lib/util/dict_unknown.c
+++ b/src/lib/util/dict_unknown.c
@@ -385,6 +385,20 @@ fr_dict_attr_t *fr_dict_attr_unknown_typed_afrom_num_raw(TALLOC_CTX *ctx, fr_dic
 				};
 	fr_dict_attr_t const	*da = NULL;
 
+	if (parent->flags.internal) {
+		fr_strerror_printf("Cannot create 'raw' attribute from internal parent '%s' of data type '%s'",
+				   parent->name, fr_type_to_str(parent->type));
+		return NULL;
+	}
+
+	if (((parent->type == FR_TYPE_TLV) || (parent->type == FR_TYPE_VENDOR))) {
+		if ((uint64_t) num >= ((uint64_t) 1 << (8 * parent->flags.type_size))) {
+			fr_strerror_printf("Invalid attribute number '%u' - it must be no more than %u bits in size",
+					   num, 8 * parent->flags.type_size);
+			return NULL;
+		}
+	}
+
 	switch (type) {
 	default:
 		fr_strerror_printf("Cannot allocate unknown attribute '%u' - invalid data type '%s'",
diff --git a/src/tests/unit/protocols/cbor/base.txt b/src/tests/unit/protocols/cbor/base.txt
index f68e7787d1f..6bf08d8b579 100644
--- a/src/tests/unit/protocols/cbor/base.txt
+++ b/src/tests/unit/protocols/cbor/base.txt
@@ -133,7 +133,7 @@ match PMIP6-Home-HN-Prefix = ::/128
 #  From a fuzzer output
 #
 decode-pair 9f a1 1a 19 a1 82 00 da 00 00 03 ea a2 01 1a be 00 00 00 28 1b 70 a1 00 da 00 00 03 ea
-match Invalid cbor header - unexpected end of data
+match Invalid attribute number '430014976' - it must be no more than 8 bits in size
 
 count
 match 61