From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 23 Mar 2023 13:43:25 +0000 (-0400)
Subject: check for overflow when we add the length field
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9255150450a5c1ea2e73ca33604584209e865d9;p=thirdparty%2Ffreeradius-server.git

check for overflow when we add the length field
---

diff --git a/src/lib/util/struct.c b/src/lib/util/struct.c
index efa3cd39f69..f09f3ea215b 100644
--- a/src/lib/util/struct.c
+++ b/src/lib/util/struct.c
@@ -78,7 +78,7 @@ ssize_t fr_struct_from_network(TALLOC_CTX *ctx, fr_pair_list_t *out,
 	 *	Decode structs with length prefixes.
 	 */
 	if (da_is_length_field(parent)) {
-		size_t struct_len, need;
+		size_t struct_len, need, new_len;
 
 		if (parent->flags.subtype == FLAG_LENGTH_UINT8) {
 			need = 1;
@@ -115,7 +115,10 @@ ssize_t fr_struct_from_network(TALLOC_CTX *ctx, fr_pair_list_t *out,
 		 */
 		p += need;
 		end = p + struct_len;
-		data_len = struct_len + need - offset;
+		new_len = struct_len + need - offset;
+		if (new_len > data_len) goto unknown;
+
+		data_len = new_len;
 	}
 
 	/*