From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 27 Nov 2024 16:30:29 +0000 (-0500)
Subject: reset the input pointer if it changes.  Fixex #5462
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd2123a3c7e12d1ecfe2068509174b4860dcdaea;p=thirdparty%2Ffreeradius-server.git

reset the input pointer if it changes.  Fixex #5462

There are larger underlying problems, though.  The API to
fr_sbuff_terminal_search() is wrong.  It accepts an input pointer
"p", which points to somewhere in the middle of the sbuff.

As a result, if the sbuff is shifted due to reads, the sbuff->p
pointer changes, and the "cached" p passed to fr_sbuff_terminal_search()
points to somewhere wild.

As a result, most _callers_ of fr_sbuff_terminal_search() are
likely wrong, too, as they cache p = sbuff->p, and don't expect
that pointer to change under them.
---

diff --git a/src/lib/util/sbuff.c b/src/lib/util/sbuff.c
index 06678c89fec..692884adfd1 100644
--- a/src/lib/util/sbuff.c
+++ b/src/lib/util/sbuff.c
@@ -536,11 +536,13 @@ static inline bool fr_sbuff_terminal_search(fr_sbuff_t *in, char const *p,
 	ssize_t		mid;
 
 	size_t		remaining;
+	bool		reset_p = (p == in->p);
 	fr_sbuff_extend_status_t	status = FR_SBUFF_EXTENDABLE;
 
 	if (!term) return false;			/* If there's no terminals, we don't need to search */
 
 	end = term->len - 1;
+
 	term_idx = idx[(uint8_t)*p];			/* Fast path */
 	if (!term_idx) return false;
 
@@ -553,6 +555,8 @@ static inline bool fr_sbuff_terminal_search(fr_sbuff_t *in, char const *p,
 		return (idx['\0'] != 0);
 	}
 
+	if (reset_p) p = in->p;
+
 	mid = term_idx - 1;				/* Inform the mid point from the index */
 
 	while (start <= end) {