From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 9 Feb 2024 14:49:50 +0000 (-0500)
Subject: check for fragment with insufficient room for header
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbac50e667c70419625ce52eebb8b928f1ee6dfa;p=thirdparty%2Ffreeradius-server.git

check for fragment with insufficient room for header
---

diff --git a/src/protocols/radius/decode.c b/src/protocols/radius/decode.c
index 8ef039f3867..d7faf796573 100644
--- a/src/protocols/radius/decode.c
+++ b/src/protocols/radius/decode.c
@@ -887,7 +887,7 @@ static ssize_t decode_extended_fragments(TALLOC_CTX *ctx, fr_pair_list_t *out,
 	last_frag = false;
 
 	while (frag < end) {
-		if (last_frag ||
+		if (last_frag || ((end - frag) < 2) ||
 		    (frag[0] != attr[0]) ||
 		    (frag[1] < 4) ||		       /* too short for long-extended */
 		    (frag[2] != attr[2]) ||