protocols/vmps: fix loop increment and length-6 underflow in fr_vmps_print_hex

author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>

Fri, 15 May 2026 16:05:54 +0000 (12:05 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 28 May 2026 19:48:16 +0000 (15:48 -0400)
author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Fri, 15 May 2026 16:05:54 +0000 (12:05 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 28 May 2026 19:48:16 +0000 (15:48 -0400)
diff --git a/src/protocols/vmps/vmps.c b/src/protocols/vmps/vmps.c

index 98a2abde5c439177da657b055c9e4bc445d6983d..e857bf06c7ba29f73df6e629e45b0b54d16e50ac 100644 (file)
--- a/src/protocols/vmps/vmps.c
+++ b/src/protocols/vmps/vmps.c
@@ -494,16 +494,16 @@ void fr_vmps_print_hex(FILE *fp, uint8_t const *packet, size_t packet_len)
  
         for (attr = packet + 8, end = packet + packet_len;
              attr < end;
-            attr += length) {
+            attr += (6 + length)) {
+               if ((end - attr) < 6) break;
                 memcpy(&id, attr, 4);
                 id = ntohl(id);
-
                 length = fr_nbo_to_uint16(attr + 4);
-               if (length > (end - attr)) break;
+               if ((size_t)(end - attr) < (6 + (size_t)length)) break;
  
                 fprintf(fp, "\t\t%08x  %04x  ", id, length);
  
-               print_hex_data(attr + 6, length - 6, 3);
+               print_hex_data(attr + 6, length, 3);
         }
  }
author	Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
	Fri, 15 May 2026 16:05:54 +0000 (12:05 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 28 May 2026 19:48:16 +0000 (15:48 -0400)