From ab1b84327c5ecddf485734baa49b0b846f756c05 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Mon, 4 Jan 2021 14:20:10 +1100
Subject: [PATCH] plugins/radius: Eliminate some potential buffer overruns

Increase AUTH_STRING_LEN and add extra checks in rc_avpair_gen()
to make sure that we can not overflow pair->strvalue.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
 pppd/plugins/radius/avpair.c       | 4 ++--
 pppd/plugins/radius/radiusclient.h | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pppd/plugins/radius/avpair.c b/pppd/plugins/radius/avpair.c
index b97a7cf..d548b47 100644
--- a/pppd/plugins/radius/avpair.c
+++ b/pppd/plugins/radius/avpair.c
@@ -175,12 +175,12 @@ VALUE_PAIR *rc_avpair_gen (AUTH_HDR *auth)
 	{
 		attribute = *ptr++;
 		attrlen = *ptr++;
-		attrlen -= 2;
-		if (attrlen < 0)
+		if (attrlen < 2 || attrlen > length)
 		{
 			error("rc_avpair_gen: received attribute with invalid length");
 			break;
 		}
+		attrlen -= 2;
 
 		/* Handle vendor-specific specially */
 		if (attribute == PW_VENDOR_SPECIFIC) {
diff --git a/pppd/plugins/radius/radiusclient.h b/pppd/plugins/radius/radiusclient.h
index 17f6425..665ad94 100644
--- a/pppd/plugins/radius/radiusclient.h
+++ b/pppd/plugins/radius/radiusclient.h
@@ -31,7 +31,7 @@ typedef int          INT4;
 #define AUTH_VECTOR_LEN		16
 #define AUTH_PASS_LEN		(3 * 16) /* multiple of 16 */
 #define AUTH_ID_LEN		64
-#define AUTH_STRING_LEN		128	 /* maximum of 253 */
+#define AUTH_STRING_LEN		253	 /* maximum of 253 */
 
 #define	BUFFER_LEN		8192
 
-- 
2.39.2