Package: freeradius / 3.0.12+dfsg-5+deb9u1

fr-gv-304.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
From 19a18bf7c8af649c9e9742fb6a046f6aff639866 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 3 Jul 2017 15:42:35 -0400
Subject: [PATCH] FR-GV-304 - check for option overflowing the packet

---
 src/modules/proto_dhcp/dhcp.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Index: freeradius-3.0.12+dfsg/src/modules/proto_dhcp/dhcp.c
===================================================================
--- freeradius-3.0.12+dfsg.orig/src/modules/proto_dhcp/dhcp.c
+++ freeradius-3.0.12+dfsg/src/modules/proto_dhcp/dhcp.c
@@ -628,6 +628,24 @@ static int fr_dhcp_decode_suboption(TALL
 		uint32_t	attr;
 
 		/*
+		 *	Not enough room for the option header, it's a
+		 *	bad packet.
+		 */
+		if ((p + 2) > (data + len)) {
+			fr_pair_list_free(&head);
+			return -1;
+		}
+
+		/*
+		 *	Not enough room for the option header + data,
+		 *	it's a bad packet.
+		 */
+		if ((p + 2 + p[1]) > (data + len)) {
+			fr_pair_list_free(&head);
+			return -1;
+		}
+
+		/*
 		 *	The initial OID string looks like:
 		 *	<iana>.0
 		 *