Date: Mon, 31 May 2021 09:06:59 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 256283] FreeBSD-SA-21:12.libradius breaks mpd5 when using MS-CHAPv2 Message-ID: <bug-256283-227-YiYPabf9pF@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-256283-227@https.bugs.freebsd.org/bugzilla/> References: <bug-256283-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256283 --- Comment #1 from topical <topical@gmx.net> --- The CVE fix broke the following function: int rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp) { int len, type; if (h->in_pos >=3D h->in_len) return 0; if (h->in_pos + 2 > h->in_len) { generr(h, "Malformed attribute in response"); return -1; } type =3D h->in[h->in_pos++]; len =3D h->in[h->in_pos++]; if (len < 2 || h->in_pos + len > h->in_len) { generr(h, "Malformed attribute in response"); return -1; } *lenp =3D len; *value =3D &h->in[h->in_pos]; h->in_pos +=3D len; return type; } The failure occurs after len =3D h->in[h->in_pos++]; This len is the total length of the attribute, **including** the 2 byte hea= der. All lines below assume that len excludes the header, so lenp is 2 byte too = long and h->in_pos is shifted 2 bytes too far.=20 When you call rad_get_attr() for the first time, the returned data is just 2 bytes to long (unless there is only 1 attribute, in which case you get a "Malformed attribute" error because of the "missing" 2 extra bytes). But: as h->in_pos is located 2 bytes within the second attribute on return, all subsequent calls to rad_get_attr() will return garbage. A possible fix is: int rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp) { int len, type; if (h->in_pos >=3D h->in_len) return 0; if (h->in_pos + 2 > h->in_len) { generr(h, "Malformed attribute in response"); return -1; } type =3D h->in[h->in_pos]; len =3D h->in[h->in_pos + 1]; if (len < 2 || h->in_pos + len > h->in_len) { generr(h, "Malformed attribute in response"); return -1; } *lenp =3D len - 2; *value =3D &h->in[h->in_pos + 2]; h->in_pos +=3D len; return type; } The missing piece is: how to properly distribute this fix of the broken CVE fix? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256283-227-YiYPabf9pF>