]> git.ozlabs.org Git - ppp.git/blobdiff - pppd/plugins/radius/avpair.c
projects / ppp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
plugins/radius: Eliminate some potential buffer overruns
[ppp.git] / pppd / plugins / radius / avpair.c
diff --git a/pppd/plugins/radius/avpair.c b/pppd/plugins/radius/avpair.c
index b97a7cf3632fbf4dcdccf51e724abe68c59ac897..d548b47b1d23bd5ecc4c56b6ad2081a2068463dc 100644 (file)
--- a/pppd/plugins/radius/avpair.c
+++ b/pppd/plugins/radius/avpair.c
@@ -175,12 +175,12 @@ VALUE_PAIR *rc_avpair_gen (AUTH_HDR *auth)
        {
                attribute = *ptr++;
                attrlen = *ptr++;
-               attrlen -= 2;
-               if (attrlen < 0)
+               if (attrlen < 2 || attrlen > length)
                {
                        error("rc_avpair_gen: received attribute with invalid length");
                        break;
                }
+               attrlen -= 2;
 
                /* Handle vendor-specific specially */
                if (attribute == PW_VENDOR_SPECIFIC) {
PPP (Point-to-Point Protocol) implementation for Linux and Solaris