summaryrefslogtreecommitdiff
path: root/accel-pppd/radius
diff options
context:
space:
mode:
authorxebd <xeb@mail.ru>2022-01-24 10:46:13 +0300
committerGitHub <noreply@github.com>2022-01-24 10:46:13 +0300
commit0b4ef9862c65bffd7c2e5798cb35948548ac724d (patch)
tree0f03df6240142c26554b65748970354d5dc8e411 /accel-pppd/radius
parent7c8837ebb10a0a1bb056f7e4859814bf6bd6e4ef (diff)
parentd4cb89721cc8e5b3dd3fbefaf173eb77ecb85615 (diff)
downloadaccel-ppp-0b4ef9862c65bffd7c2e5798cb35948548ac724d.tar.gz
accel-ppp-0b4ef9862c65bffd7c2e5798cb35948548ac724d.zip
Merge pull request #35 from svlobanov/fix-radius-overflow
fix buffer overflow when receive radius packet
Diffstat (limited to 'accel-pppd/radius')
-rw-r--r--accel-pppd/radius/dict.c12
-rw-r--r--accel-pppd/radius/packet.c13
2 files changed, 21 insertions, 4 deletions
diff --git a/accel-pppd/radius/dict.c b/accel-pppd/radius/dict.c
index 4924c895..145c5da2 100644
--- a/accel-pppd/radius/dict.c
+++ b/accel-pppd/radius/dict.c
@@ -193,14 +193,20 @@ static int dict_load(const char *fname)
attr->type = ATTR_TYPE_STRING;
else if (!strcmp(ptr[2], "date"))
attr->type = ATTR_TYPE_DATE;
- else if (!strcmp(ptr[2], "ipaddr"))
+ else if (!strcmp(ptr[2], "ipaddr")) {
attr->type = ATTR_TYPE_IPADDR;
+ attr->size = 4; /* RFC 8044 §3.8 ipv4addr */
+ }
else if (!strcmp(ptr[2], "octets"))
attr->type = ATTR_TYPE_OCTETS;
- else if (!strcmp(ptr[2], "ifid"))
+ else if (!strcmp(ptr[2], "ifid")) {
attr->type = ATTR_TYPE_IFID;
- else if (!strcmp(ptr[2], "ipv6addr"))
+ attr->size = 8; /* RFC 8044 §3.7 ifid */
+ }
+ else if (!strcmp(ptr[2], "ipv6addr")) {
attr->type = ATTR_TYPE_IPV6ADDR;
+ attr->size = 16; /* RFC 8044 §3.9 ipv6addr */
+ }
else if (!strcmp(ptr[2], "ipv6prefix"))
attr->type = ATTR_TYPE_IPV6PREFIX;
else if (!strcmp(ptr[2], "ether"))
diff --git a/accel-pppd/radius/packet.c b/accel-pppd/radius/packet.c
index 07ddf6be..79007036 100644
--- a/accel-pppd/radius/packet.c
+++ b/accel-pppd/radius/packet.c
@@ -258,9 +258,20 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr)
case ATTR_TYPE_IPADDR:
case ATTR_TYPE_IFID:
case ATTR_TYPE_IPV6ADDR:
- memcpy(&attr->val.integer, ptr, len);
+ if (len == da->size)
+ memcpy(&attr->val.integer, ptr, len);
+ else
+ log_ppp_warn("radius:packet: attribute %s has invalid length %i (must be %i)\n", da->name, len, da->size);
break;
case ATTR_TYPE_IPV6PREFIX:
+ if (len < 2 || len > 18) { /* RFC 8044 §3.10 ipv6prefix */
+ log_ppp_warn("radius:packet: attribute %s has invalid length %i (must be from 2 to 18)\n", da->name, len);
+ break;
+ }
+ if (ptr[1] > 128) {
+ log_ppp_warn("radius:packet: attribute %s has invalid prefix length %u (must be from 0 to 128)\n", da->name, ptr[1]);
+ break;
+ }
attr->val.ipv6prefix.len = ptr[1];
memset(&attr->val.ipv6prefix.prefix, 0, sizeof(attr->val.ipv6prefix.prefix));
memcpy(&attr->val.ipv6prefix.prefix, ptr + 2, len - 2);