plugins/radius: Eliminate some potential buffer overruns

Increase AUTH_STRING_LEN and add extra checks in rc_avpair_gen()
to make sure that we can not overflow pair->strvalue.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>

diff --git a/pppd/plugins/radius/avpair.c b/pppd/plugins/radius/avpair.c
index b97a7cf3632fbf4dcdccf51e724abe68c59ac897..d548b47b1d23bd5ecc4c56b6ad2081a2068463dc 100644 (file)
--- a/pppd/plugins/radius/avpair.c
+++ b/pppd/plugins/radius/avpair.c
@@ -175,12 +175,12 @@ VALUE_PAIR *rc_avpair_gen (AUTH_HDR *auth)
        {
                attribute = *ptr++;
                attrlen = *ptr++;
-               attrlen -= 2;
-               if (attrlen < 0)
+               if (attrlen < 2 || attrlen > length)
                {
                        error("rc_avpair_gen: received attribute with invalid length");
                        break;
                }
+               attrlen -= 2;
 
                /* Handle vendor-specific specially */
                if (attribute == PW_VENDOR_SPECIFIC) {

diff --git a/pppd/plugins/radius/radiusclient.h b/pppd/plugins/radius/radiusclient.h
index 17f64259d222364f5d12a39da4e65baddcc22451..665ad946977496577b3951feac2845650679f647 100644 (file)
--- a/pppd/plugins/radius/radiusclient.h
+++ b/pppd/plugins/radius/radiusclient.h
@@ -31,7 +31,7 @@ typedef int          INT4;
 #define AUTH_VECTOR_LEN                16
 #define AUTH_PASS_LEN          (3 * 16) /* multiple of 16 */
 #define AUTH_ID_LEN            64
-#define AUTH_STRING_LEN                128      /* maximum of 253 */
+#define AUTH_STRING_LEN                253      /* maximum of 253 */
 
 #define        BUFFER_LEN              8192