From: Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Date: Fri, 15 May 2026 16:05:54 +0000 (-0400)
Subject: protocols/vmps: fix loop increment and length-6 underflow in fr_vmps_print_hex
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=08043c6df027ed5cfa4f90944f2aa789dbb28cbb;p=thirdparty%2Ffreeradius-server.git

protocols/vmps: fix loop increment and length-6 underflow in fr_vmps_print_hex
---

diff --git a/src/protocols/vmps/vmps.c b/src/protocols/vmps/vmps.c
index 98a2abde5c4..e857bf06c7b 100644
--- a/src/protocols/vmps/vmps.c
+++ b/src/protocols/vmps/vmps.c
@@ -494,16 +494,16 @@ void fr_vmps_print_hex(FILE *fp, uint8_t const *packet, size_t packet_len)
 
 	for (attr = packet + 8, end = packet + packet_len;
 	     attr < end;
-	     attr += length) {
+	     attr += (6 + length)) {
+		if ((end - attr) < 6) break;
 		memcpy(&id, attr, 4);
 		id = ntohl(id);
-
 		length = fr_nbo_to_uint16(attr + 4);
-		if (length > (end - attr)) break;
+		if ((size_t)(end - attr) < (6 + (size_t)length)) break;
 
 		fprintf(fp, "\t\t%08x  %04x  ", id, length);
 
-		print_hex_data(attr + 6, length - 6, 3);
+		print_hex_data(attr + 6, length, 3);
 	}
 }