]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d5a9388)
various bug fixes
authorAlan T. DeKok <aland@freeradius.org>
Thu, 4 Jun 2026 12:12:44 +0000 (08:12 -0400)
committerAlan T. DeKok <aland@freeradius.org>
Thu, 4 Jun 2026 12:16:13 +0000 (08:16 -0400)
src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c patch | blob | blame | history

diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
index 1865195f881921157c4ea5cacab02db27ce2fa9d..91556bf44063b15a5d311707c999bd20fbf2411a 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
+++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
@@ -248,7 +248,7 @@ static int eap_mschapv2_compose(rlm_eap_mschapv2_t const *inst, request_t *reque
        } else if (reply->da == attr_ms_chap_error) {
                REDEBUG("MS-CHAPv2 Failure");
                length = 4 + reply->vp_length - 1;
-               eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length);
+               MEM(eap_round->request->type.data = talloc_array(eap_round->request, uint8_t, length));
 
                /*
                 *      Allocate room for the EAP-MS-CHAPv2 data.
@@ -415,8 +415,8 @@ static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, m
                        fr_pair_t       *ms;
 
 
-                       if (eap_round->response->type.length < 544) {
-                               RDEBUG2("Password change has invalid length %zu < 544",
+                       if (eap_round->response->type.length < 586) {
+                               RDEBUG2("Password change has invalid length %zu < 586",
                                        eap_round->response->type.length);
                                RETURN_UNLANG_INVALID;
                        }
@@ -580,6 +580,12 @@ failure:
                RETURN_UNLANG_INVALID;
        }
 
+       if (eap_round->response->type.length < length) {
+               REDEBUG("Response type data (%zu bytes) is shorter than claimed MS-Length (%zu)",
+                       eap_round->response->type.length, length);
+               RETURN_UNLANG_INVALID;
+       }
+
        /*
         *      We now know that the user has sent us a response
         *      to the challenge.  Let's try to authenticate it.
Mirror of https://github.com/FreeRADIUS/freeradius-server.git