[Bug 256283] FreeBSD-SA-21:12.libradius breaks mpd5 when using MS-CHAPv2
Date: Mon, 31 May 2021 09:06:59 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256283
--- Comment #1 from topical <topical@gmx.net> ---
The CVE fix broke the following function:
int
rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp)
{
int len, type;
if (h->in_pos >= h->in_len)
return 0;
if (h->in_pos + 2 > h->in_len) {
generr(h, "Malformed attribute in response");
return -1;
}
type = h->in[h->in_pos++];
len = h->in[h->in_pos++];
if (len < 2 || h->in_pos + len > h->in_len) {
generr(h, "Malformed attribute in response");
return -1;
}
*lenp = len;
*value = &h->in[h->in_pos];
h->in_pos += len;
return type;
}
The failure occurs after
len = h->in[h->in_pos++];
This len is the total length of the attribute, **including** the 2 byte header.
All lines below assume that len excludes the header, so lenp is 2 byte too long
and h->in_pos is shifted 2 bytes too far.
When you call rad_get_attr() for the first time, the returned data is just 2
bytes to long (unless there is only 1 attribute, in which case you get a
"Malformed attribute" error because of the "missing" 2 extra bytes). But: as
h->in_pos is located 2 bytes within the second attribute on return, all
subsequent calls to rad_get_attr() will return garbage.
A possible fix is:
int
rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp)
{
int len, type;
if (h->in_pos >= h->in_len)
return 0;
if (h->in_pos + 2 > h->in_len) {
generr(h, "Malformed attribute in response");
return -1;
}
type = h->in[h->in_pos];
len = h->in[h->in_pos + 1];
if (len < 2 || h->in_pos + len > h->in_len) {
generr(h, "Malformed attribute in response");
return -1;
}
*lenp = len - 2;
*value = &h->in[h->in_pos + 2];
h->in_pos += len;
return type;
}
The missing piece is: how to properly distribute this fix of the broken CVE
fix?
--
You are receiving this mail because:
You are the assignee for the bug.