Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 May 2021 09:06:59 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 256283] FreeBSD-SA-21:12.libradius breaks mpd5 when using MS-CHAPv2
Message-ID:  <bug-256283-227-YiYPabf9pF@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-256283-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256283

--- Comment #1 from topical <topical@gmx.net> ---
The CVE fix broke the following function:

int
rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp)
{
        int len, type;

        if (h->in_pos >= h->in_len)
                return 0;
        if (h->in_pos + 2 > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        type = h->in[h->in_pos++];
        len = h->in[h->in_pos++];
        if (len < 2 || h->in_pos + len > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        *lenp = len;
        *value = &h->in[h->in_pos];
        h->in_pos += len;
        return type;
}

The failure occurs after

        len = h->in[h->in_pos++];

This len is the total length of the attribute, **including** the 2 byte header.
All lines below assume that len excludes the header, so lenp is 2 byte too long
and h->in_pos is shifted 2 bytes too far. 

When you call rad_get_attr() for the first time, the returned data is just 2
bytes to long (unless there is only 1 attribute, in which case you get a
"Malformed attribute" error because of the "missing" 2 extra bytes). But: as
h->in_pos is located 2 bytes within the second attribute on return, all
subsequent calls to rad_get_attr() will return garbage.

A possible fix is:

int
rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp)
{
        int len, type;

        if (h->in_pos >= h->in_len)
                return 0;
        if (h->in_pos + 2 > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        type = h->in[h->in_pos];
        len = h->in[h->in_pos + 1];
        if (len < 2 || h->in_pos + len > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        *lenp = len - 2;
        *value = &h->in[h->in_pos + 2];
        h->in_pos += len;
        return type;
}

The missing piece is: how to properly distribute this fix of the broken CVE
fix?

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256283-227-YiYPabf9pF>