From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 24 Jan 2023 00:58:19 +0000 (-0500)
Subject: clean up definition of FR_TACACS_CODE_MAX.  Fixes #4856
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d42974446ce4a3a6d9ee8b5490f24fb61dcf4f89;p=thirdparty%2Ffreeradius-server.git

clean up definition of FR_TACACS_CODE_MAX.  Fixes #4856

The CODE_MAX definition should be one more than the last valid
packet code.

The DO_NOT_RESPOND value should be a value which will never show
up in a real packet.

The PACKET_CODE_VALID macro should be used instead of relying on
manual checks of CODE_MAX
---

diff --git a/share/dictionary/tacacs/dictionary.freeradius.internal b/share/dictionary/tacacs/dictionary.freeradius.internal
index 983fdc89d42..a2ec143e98d 100644
--- a/share/dictionary/tacacs/dictionary.freeradius.internal
+++ b/share/dictionary/tacacs/dictionary.freeradius.internal
@@ -24,6 +24,6 @@ VALUE	Packet-Type			Authorization-Request	5
 VALUE	Packet-Type			Authorization-Reply	6
 VALUE	Packet-Type			Accounting-Request	7
 VALUE	Packet-Type			Accounting-Reply	8
-VALUE	Packet-Type			Do-Not-Respond		9
+VALUE	Packet-Type			Do-Not-Respond		256
 
 ATTRIBUTE	State					65537	octets
diff --git a/src/listen/tacacs/proto_tacacs.c b/src/listen/tacacs/proto_tacacs.c
index 81781435708..a823edd3c25 100644
--- a/src/listen/tacacs/proto_tacacs.c
+++ b/src/listen/tacacs/proto_tacacs.c
@@ -104,7 +104,7 @@ static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM
 	value = cf_pair_value(cp);
 
 	dv = fr_dict_enum_by_name(attr_packet_type, value, -1);
-	if (!dv || (dv->value->vb_uint32 >= FR_TACACS_CODE_MAX)) {
+	if (!dv || FR_TACACS_PACKET_CODE_VALID(dv->value->vb_uint32)) {
 		cf_log_err(ci, "Unknown TACACS+ packet type '%s'", value);
 		return -1;
 	}
@@ -341,7 +341,7 @@ static ssize_t mod_encode(void const *instance, request_t *request, uint8_t *buf
 	 */
 	if ((buffer_len == 1) ||
 	    (request->reply->code == FR_PACKET_TYPE_VALUE_DO_NOT_RESPOND) ||
-	    (request->reply->code == 0) || (request->reply->code >= FR_TACACS_CODE_MAX)) {
+	    !FR_TACACS_PACKET_CODE_VALID(request->reply->code)) {
 		track->do_not_respond = true;
 		return 1;
 	}
@@ -418,8 +418,7 @@ static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED
 {
 	proto_tacacs_t const *inst = talloc_get_type_abort_const(instance, proto_tacacs_t);
 
-	fr_assert(buffer[1] != FR_TAC_PLUS_INVALID);
-	fr_assert(buffer[1] < FR_TAC_PLUS_MAX);
+	fr_assert(FR_TACACS_PACKET_CODE_VALID(buffer[1]));
 
 	/*
 	 *	Disallowed packet
diff --git a/src/protocols/tacacs/tacacs.h b/src/protocols/tacacs/tacacs.h
index 8a4cfb75f32..805f2824fb7 100644
--- a/src/protocols/tacacs/tacacs.h
+++ b/src/protocols/tacacs/tacacs.h
@@ -280,8 +280,8 @@ typedef enum {
 	FR_TACACS_AUTZ_REPLY =		FR_PACKET_TYPE_VALUE_AUTHORIZATION_REPLY,
 	FR_TACACS_ACCT_REQUEST =	FR_PACKET_TYPE_VALUE_ACCOUNTING_REQUEST,
 	FR_TACACS_ACCT_REPLY =		FR_PACKET_TYPE_VALUE_ACCOUNTING_REPLY,
-	FR_TACACS_DO_NOT_RESPOND =	FR_PACKET_TYPE_VALUE_DO_NOT_RESPOND,
 	FR_TACACS_CODE_MAX =		9,
+	FR_TACACS_DO_NOT_RESPOND =	FR_PACKET_TYPE_VALUE_DO_NOT_RESPOND,
 } fr_tacacs_packet_code_t;
 
 #define FR_TACACS_PACKET_CODE_VALID(_code) (((_code) > 0) && ((_code) < FR_TACACS_CODE_MAX))