From: James Jones <jejones3141@gmail.com>
Date: Tue, 7 Nov 2023 18:54:54 +0000 (-0600)
Subject: Tweak mod_read() range check on packet code (CID #1419883?)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d76b0e26f16825dd53e4e7fdc61f413f8af1b7a6;p=thirdparty%2Ffreeradius-server.git

Tweak mod_read() range check on packet code (CID #1419883?)

buffer[0] is used as index into fr_radius_packet_names[], so
allowing FR_PACKET_CODE_MAX will fall off the end. This may
placate coverity, but I believe it is needed in any case.
---

diff --git a/src/listen/radius/proto_radius_tcp.c b/src/listen/radius/proto_radius_tcp.c
index e228824f532..46f01571470 100644
--- a/src/listen/radius/proto_radius_tcp.c
+++ b/src/listen/radius/proto_radius_tcp.c
@@ -134,7 +134,7 @@ static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *re
 	/*
 	 *	We MUST always start with a known RADIUS packet.
 	 */
-	if ((buffer[0] == 0) || (buffer[0] > FR_RADIUS_CODE_MAX)) {
+	if ((buffer[0] == 0) || (buffer[0] >= FR_RADIUS_CODE_MAX)) {
 		DEBUG("proto_radius_tcp got invalid packet code %d", buffer[0]);
 		thread->stats.total_unknown_types++;
 		return -1;