On Thu, Mar 02, 2023 at 08:56:10AM -0700, Todd C. Miller wrote: > The following patch should fix the problem, can you try it out? > > - todd
Hi Todd, thanks for the quick patch that was really awesome! I modified it a little to use ntohs(auth.length) in the length check. Other than that it reads great and compiles. I don't have a radius setup here at the moment so I can't test it. Best Regards, -peter Index: raddauth.c =================================================================== RCS file: /cvs/src/libexec/login_radius/raddauth.c,v retrieving revision 1.30 diff -u -p -u -r1.30 raddauth.c --- raddauth.c 28 Jun 2019 13:32:53 -0000 1.30 +++ raddauth.c 2 Mar 2023 16:05:20 -0000 @@ -451,17 +451,21 @@ rad_recv(char *state, char *challenge, u struct sockaddr_in sin; u_char recv_vector[AUTH_VECTOR_LEN], test_vector[AUTH_VECTOR_LEN]; MD5_CTX context; + ssize_t total_length; salen = sizeof(sin); alarm(timeout); - if ((recvfrom(sockfd, &auth, sizeof(auth), 0, - (struct sockaddr *)&sin, &salen)) < AUTH_HDR_LEN) { + total_length = recvfrom(sockfd, &auth, sizeof(auth), 0, + (struct sockaddr *)&sin, &salen); + alarm(0); + if (total_length < AUTH_HDR_LEN) { if (timedout) return(-1); errx(1, "bogus auth packet from server"); } - alarm(0); + if (ntohs(auth.length) > total_length) + errx(1, "bogus auth packet from server"); if (sin.sin_addr.s_addr != auth_server) errx(1, "bogus authentication server");