From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 26 Feb 2026 18:46:33 +0000 (-0500)
Subject: more checks for corner cases and invalid data
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd1eaf1c412bd667ffe910cde9ceb1aea7dbcf51;p=thirdparty%2Ffreeradius-server.git

more checks for corner cases and invalid data
---

diff --git a/src/modules/rlm_cache/drivers/rlm_cache_rbtree/rlm_cache_rbtree.c b/src/modules/rlm_cache/drivers/rlm_cache_rbtree/rlm_cache_rbtree.c
index c2fe0e2eb09..00142de497d 100644
--- a/src/modules/rlm_cache/drivers/rlm_cache_rbtree/rlm_cache_rbtree.c
+++ b/src/modules/rlm_cache/drivers/rlm_cache_rbtree/rlm_cache_rbtree.c
@@ -332,7 +332,7 @@ static int mod_instantiate(module_inst_ctx_t const *mctx)
 		ERROR("Failed to create cache");
 	error:
 		talloc_free(mutable);
-		goto error;
+		return -1;
 	}
 
 	/*
diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
index 632c90b783e..a4d1862ce93 100644
--- a/src/modules/rlm_pap/rlm_pap.c
+++ b/src/modules/rlm_pap/rlm_pap.c
@@ -588,6 +588,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse_digest(unla
 		}
 		if (slen != sizeof(iterations)) {
 			REDEBUG("Decoded Password.PBKDF2 iterations component is wrong size");
+			goto finish;
 		}
 
 		iterations = ntohl(iterations);
@@ -621,7 +622,7 @@ static inline CC_HINT(nonnull) unlang_action_t pap_auth_pbkdf2_parse_digest(unla
 
 	p = q + 1;
 
-	if ((q - p) == 0) {
+	if ((end - p) == 0) {
 		REDEBUG("Password.PBKDF2 hash component too short");
 		goto finish;
 	}
@@ -766,6 +767,10 @@ static inline unlang_action_t CC_HINT(nonnull) pap_auth_pbkdf2(unlang_result_t *
 			 */
 			if (*p == '{') {
 				q = memchr(p, '}', end - p);
+				if (!q) {
+					REDEBUG("Password.PBKDF2 is missing '}");
+					RETURN_UNLANG_INVALID;
+				}
 				p = q + 1;
 			}
 			return pap_auth_pbkdf2_parse(p_result, request, p, end - p,