From: Antonio Torres Date: Fri, 09 Dec 2022 Subject: Fix crash on invalid abinary data A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash. Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706 Signed-off-by: Antonio Torres --- diff --git a/src/lib/filters.c b/src/lib/filters.c index 4868cd385d9f..3f3b63daeef3 100644 --- a/src/lib/filters.c +++ b/src/lib/filters.c @@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in } } } else if (filter->type == RAD_FILTER_GENERIC) { - int count; + size_t count, masklen; + + masklen = ntohs(filter->u.generic.len); + if (masklen >= sizeof(filter->u.generic.mask)) { + *p = '\0'; + return; + } i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset)); p += i; /* show the mask */ - for (count = 0; count < ntohs(filter->u.generic.len); count++) { + for (count = 0; count < masklen; count++) { i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]); p += i; outlen -= i; @@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in outlen--; /* show the value */ - for (count = 0; count < ntohs(filter->u.generic.len); count++) { + for (count = 0; count < masklen; count++) { i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]); p += i; outlen -= i;