radius: sanity check for vendor attribute length

author: Dmitry Kozlov <xeb@mail.ru> 2020-10-21 12:40:26 +0300
committer: Dmitry Kozlov <xeb@mail.ru> 2020-10-21 12:40:26 +0300
commit: e9d369aa0054312b7633e964e9f7eb323f1f3d69 (patch)
tree: 74a4a6798099c1545465eb68c9aa1cc6037933fb /accel-pppd/radius
parent: c8575ff09416c967aa6907b5b4e9b187d4a78d14 (diff)
download: accel-ppp-e9d369aa0054312b7633e964e9f7eb323f1f3d69.tar.gz
accel-ppp-e9d369aa0054312b7633e964e9f7eb323f1f3d69.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/accel-pppd/radius/packet.c b/accel-pppd/radius/packet.c
index e33e88e..07ddf6b 100644
--- a/accel-pppd/radius/packet.c
+++ b/accel-pppd/radius/packet.c
@@ -206,6 +206,14 @@ int rad_packet_recv(int fd, struct rad_packet_t **p, struct sockaddr_in *addr)
 				len -= vendor->tag + vendor->len;
 
 				n -= 4 + vendor->tag + vendor->len;
+				if (len < 0) {
+					log_ppp_warn("radius:packet invalid vendor attribute len received\n");
+					goto out_err;
+				}
+				if (2 + len > n) {
+					log_ppp_warn("radius:packet: too long vendor attribute received (%i, %i)\n", id, len);
+					goto out_err;
+				}
 			} else
 				log_ppp_warn("radius:packet: vendor %i not found\n", id);
 		} else
author	Dmitry Kozlov <xeb@mail.ru>	2020-10-21 12:40:26 +0300
committer	Dmitry Kozlov <xeb@mail.ru>	2020-10-21 12:40:26 +0300
commit	e9d369aa0054312b7633e964e9f7eb323f1f3d69 (patch)
tree	74a4a6798099c1545465eb68c9aa1cc6037933fb /accel-pppd/radius
parent	c8575ff09416c967aa6907b5b4e9b187d4a78d14 (diff)
download	accel-ppp-e9d369aa0054312b7633e964e9f7eb323f1f3d69.tar.gz accel-ppp-e9d369aa0054312b7633e964e9f7eb323f1f3d69.zip