Increase AUTH_STRING_LEN and add extra checks in rc_avpair_gen()
to make sure that we can not overflow pair->strvalue.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
{
attribute = *ptr++;
attrlen = *ptr++;
- attrlen -= 2;
- if (attrlen < 0)
+ if (attrlen < 2 || attrlen > length)
{
error("rc_avpair_gen: received attribute with invalid length");
break;
}
+ attrlen -= 2;
/* Handle vendor-specific specially */
if (attribute == PW_VENDOR_SPECIFIC) {
#define AUTH_VECTOR_LEN 16
#define AUTH_PASS_LEN (3 * 16) /* multiple of 16 */
#define AUTH_ID_LEN 64
-#define AUTH_STRING_LEN 128 /* maximum of 253 */
+#define AUTH_STRING_LEN 253 /* maximum of 253 */
#define BUFFER_LEN 8192