On Thu, Mar 02, 2023 at 08:56:10AM -0700, Todd C. Miller wrote:
> The following patch should fix the problem, can you try it out?
>
> - todd
Hi Todd,
thanks for the quick patch that was really awesome! I modified it a little
to use ntohs(auth.length) in the length check. Other than that it reads
great and compiles. I don't have a radius setup here at the moment so I
can't test it.
Best Regards,
-peter
Index: raddauth.c
===================================================================
RCS file: /cvs/src/libexec/login_radius/raddauth.c,v
retrieving revision 1.30
diff -u -p -u -r1.30 raddauth.c
--- raddauth.c 28 Jun 2019 13:32:53 -0000 1.30
+++ raddauth.c 2 Mar 2023 16:05:20 -0000
@@ -451,17 +451,21 @@ rad_recv(char *state, char *challenge, u
struct sockaddr_in sin;
u_char recv_vector[AUTH_VECTOR_LEN], test_vector[AUTH_VECTOR_LEN];
MD5_CTX context;
+ ssize_t total_length;
salen = sizeof(sin);
alarm(timeout);
- if ((recvfrom(sockfd, &auth, sizeof(auth), 0,
- (struct sockaddr *)&sin, &salen)) < AUTH_HDR_LEN) {
+ total_length = recvfrom(sockfd, &auth, sizeof(auth), 0,
+ (struct sockaddr *)&sin, &salen);
+ alarm(0);
+ if (total_length < AUTH_HDR_LEN) {
if (timedout)
return(-1);
errx(1, "bogus auth packet from server");
}
- alarm(0);
+ if (ntohs(auth.length) > total_length)
+ errx(1, "bogus auth packet from server");
if (sin.sin_addr.s_addr != auth_server)
errx(1, "bogus authentication server");
