From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 9 Apr 2021 13:51:32 +0000 (-0400)
Subject: respect the "concat" flag when decoding TLVs
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2e88b2f75ac32dc52a8b1328f37c364b8356e38;p=thirdparty%2Ffreeradius-server.git

respect the "concat" flag when decoding TLVs

and add digest tests for the same.
---

diff --git a/src/protocols/radius/decode.c b/src/protocols/radius/decode.c
index dcf46e610f..f18735a1e8 100644
--- a/src/protocols/radius/decode.c
+++ b/src/protocols/radius/decode.c
@@ -422,6 +422,7 @@ ssize_t fr_radius_decode_tlv(TALLOC_CTX *ctx, fr_dcursor_t *cursor, fr_dict_t co
 	fr_pair_list_t		head;
 	fr_dcursor_t		tlv_cursor;
 	fr_pair_t		*vp;
+	bool			concat;
 
 	fr_pair_list_init(&head);
 	if (data_len < 3) return -1; /* type, length, value */
@@ -434,7 +435,18 @@ ssize_t fr_radius_decode_tlv(TALLOC_CTX *ctx, fr_dcursor_t *cursor, fr_dict_t co
 
 	if (fr_radius_decode_tlv_ok(p, data_len, 1, 1) < 0) return -1;
 
-	vp = fr_pair_afrom_da(ctx, parent);
+	/*
+	 *	We don't have a "pair find in cursor"
+	 */
+	if (flag_concat(&parent->flags)) {
+		vp = fr_pair_find_by_da(fr_pair_list_from_dcursor(cursor), parent);
+		concat = (vp != NULL);
+	} else {
+		vp = NULL;
+		concat = false;
+	}
+
+	if (!vp) vp = fr_pair_afrom_da(ctx, parent);
 	if (!vp) return PAIR_DECODE_OOM;
 
 	/*
@@ -455,7 +467,7 @@ ssize_t fr_radius_decode_tlv(TALLOC_CTX *ctx, fr_dcursor_t *cursor, fr_dict_t co
 			child = fr_dict_unknown_attr_afrom_num(packet_ctx->tmp_ctx, parent, p[0]);
 			if (!child) {
 			error:
-				talloc_free(vp);
+				if (!concat) talloc_free(vp);
 				return -1;
 			}
 		}
@@ -469,7 +481,7 @@ ssize_t fr_radius_decode_tlv(TALLOC_CTX *ctx, fr_dcursor_t *cursor, fr_dict_t co
 	}
 
 	fr_pair_list_append(&vp->vp_group, &head);
-	fr_dcursor_append(cursor, vp);
+	if (!concat) fr_dcursor_append(cursor, vp);
 
 	return data_len;
 }
diff --git a/src/tests/unit/protocols/radius/digest.txt b/src/tests/unit/protocols/radius/digest.txt
index 0c89cfa9c2..09e3809fa3 100644
--- a/src/tests/unit/protocols/radius/digest.txt
+++ b/src/tests/unit/protocols/radius/digest.txt
@@ -10,5 +10,27 @@ match cf 72 01 0c 62 69 6c 6f 78 69 2e 63 6f 6d 02 24 64 63 64 39 38 62 37 31 30
 decode-pair -
 match Digest-Attributes = { Realm = "biloxi.com", Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093", Method = "INVITE", URI = "sip:bob@biloxi.com", User-Name = "bob", QOP = "auth", Algorithm = "MD5", Nonce-Count = "00000001", CNonce = "0a4f113b" }
 
+encode-pair Digest-Attributes = { Realm = "biloxi.com" }
+match cf 0e 01 0c 62 69 6c 6f 78 69 2e 63 6f 6d
+
+encode-pair Digest-Attributes = { User-Name = "bob" }
+match cf 07 0a 05 62 6f 62
+
+#
+#  The two previous things, concatenated as attributes.
+#
+#  The Digest-Attributes dictionary entry is marked "concat",
+#  so the decoder MUST create one Digest-Attributes VP, instead of two.
+#
+decode-pair cf 0e 01 0c 62 69 6c 6f 78 69 2e 63 6f 6d cf 07 0a 05 62 6f 62
+match Digest-Attributes = { Realm = "biloxi.com", User-Name = "bob" }
+
+#
+#  And on encoding it, we mash everything together.
+#
+encode-pair -
+match cf 13 01 0c 62 69 6c 6f 78 69 2e 63 6f 6d 0a 05 62 6f 62
+
+
 count
 match 6