From e9d369aa0054312b7633e964e9f7eb323f1f3d69 Mon Sep 17 00:00:00 2001
From: Dmitry Kozlov <xeb@mail.ru>
Date: Wed, 21 Oct 2020 12:40:26 +0300
Subject: radius: sanity check for vendor attribute length

---
 accel-pppd/radius/packet.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'accel-pppd')

diff --git a/accel-pppd/radius/packet.c b/accel-pppd/radius/packet.c
index e33e88ef..07ddf6be 100644
--- a/accel-pppd/radius/packet.c
+++ b/accel-pppd/radius/packet.c
@@ -206,6 +206,14 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr)
 				len -= vendor->tag + vendor->len;
 
 				n -= 4 + vendor->tag + vendor->len;
+				if (len < 0) {
+					log_ppp_warn("radius:packet invalid vendor attribute len received\n");
+					goto out_err;
+				}
+				if (2 + len > n) {
+					log_ppp_warn("radius:packet: too long vendor attribute received (%i, %i)\n", id, len);
+					goto out_err;
+				}
 			} else
 				log_ppp_warn("radius:packet: vendor %i not found\n", id);
 		} else
-- 
cgit v1.2.3