From 6726c16549b131ed39f6f8886cdf5d9d922a9a97 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Tue, 27 Jun 2017 21:54:10 -0400
Subject: [PATCH] FR-GV-302 - do checks based on pointers, not on decoded data

because decoded data may be empty
---
 src/lib/radius.c       | 10 +++++++++-
 src/tests/unit/rfc.txt | 12 ++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

Index: freeradius-3.0.12+dfsg/src/lib/radius.c
===================================================================
--- freeradius-3.0.12+dfsg.orig/src/lib/radius.c
+++ freeradius-3.0.12+dfsg/src/lib/radius.c
@@ -2934,16 +2934,23 @@ static ssize_t data2vp_concat(TALLOC_CTX
 	 *	don't care about walking off of the end of it.
 	 */
 	while (ptr < end) {
+		if (ptr[1] < 2) return -1;
+		if ((ptr + ptr[1]) > end) return -1;
+
 		total += ptr[1] - 2;
 
 		ptr += ptr[1];
 
+		if (ptr == end) break;
+
 		/*
 		 *	Attributes MUST be consecutive.
 		 */
 		if (ptr[0] != attr) break;
 	}
 
+	end = ptr;
+
 	vp = fr_pair_afrom_da(ctx, da);
 	if (!vp) return -1;
 
@@ -2956,7 +2963,7 @@ static ssize_t data2vp_concat(TALLOC_CTX
 
 	total = 0;
 	ptr = start;
-	while (total < vp->vp_length) {
+	while (ptr < end) {
 		memcpy(p, ptr + 2, ptr[1] - 2);
 		p += ptr[1] - 2;
 		total += ptr[1] - 2;
@@ -2964,6 +2971,7 @@ static ssize_t data2vp_concat(TALLOC_CTX
 	}
 
 	*pvp = vp;
+
 	return ptr - start;
 }
 
Index: freeradius-3.0.12+dfsg/src/tests/unit/rfc.txt
===================================================================
--- freeradius-3.0.12+dfsg.orig/src/tests/unit/rfc.txt
+++ freeradius-3.0.12+dfsg/src/tests/unit/rfc.txt
@@ -178,6 +178,18 @@ data Failed to parse IPv4 address string
 attribute PMIP6-Home-IPv4-HoA = bob/8
 data Failed to parse IPv4 address string "bob/8"
 
+#
+#  A "concat" attribute, with no data
+#
+decode 89 02
+data PKM-SS-Cert = 0x
+
+#
+#  Or with weirdly formatted data
+#
+decode 89 03 ff 89 02 89 03 fe
+data PKM-SS-Cert = 0xfffe
+
 $INCLUDE tunnel.txt
 $INCLUDE errors.txt
 $INCLUDE extended.txt