From: Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Date: Mon, 1 Jun 2026 18:56:32 +0000 (-0400)
Subject: rlm_sigtran/ipaccess: heap overflow in ipaccess_read_msg — attacker-controlled length... 
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=eb3f2db8b65319dbe119ab5a48383289cfe82f90;p=thirdparty%2Ffreeradius-server.git

rlm_sigtran/ipaccess: heap overflow in ipaccess_read_msg — attacker-controlled length used in recv() without bounds check
---

diff --git a/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c b/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c
index 36cad884e2b..1227d3e8743 100644
--- a/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c
+++ b/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c
@@ -113,6 +113,10 @@ struct msgb *ipaccess_read_msg(struct osmo_fd *bfd, int *error)
 		msgb_free(msg);
 		*error = ret;
 		return NULL;
+	} else if (ret < 3) {
+		msgb_free(msg);
+		*error = -EIO;
+		return NULL;
 	}
 
 	msgb_put(msg, ret);
@@ -120,6 +124,11 @@ struct msgb *ipaccess_read_msg(struct osmo_fd *bfd, int *error)
 	/* then read the length as specified in header */
 	msg->l2h = msg->data + sizeof(*hh);
 	len = ntohs(hh->len);
+	if (len > TS1_ALLOC_SIZE - (int)sizeof(*hh)) {
+		msgb_free(msg);
+		*error = -EINVAL;
+		return NULL;
+	}
 	ret = recv(bfd->fd, msg->l2h, len, 0);
 	if (ret < len) {
 		msgb_free(msg);