[Bug 256283] FreeBSD-SA-21:12.libradius breaks mpd5 when using MS-CHAPv2

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 31 May 2021 09:06:59 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256283

--- Comment #1 from topical <topical_at_gmx.net> ---
The CVE fix broke the following function:

int
rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp)
{
        int len, type;

        if (h->in_pos >= h->in_len)
                return 0;
        if (h->in_pos + 2 > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        type = h->in[h->in_pos++];
        len = h->in[h->in_pos++];
        if (len < 2 || h->in_pos + len > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        *lenp = len;
        *value = &h->in[h->in_pos];
        h->in_pos += len;
        return type;
}

The failure occurs after

        len = h->in[h->in_pos++];

This len is the total length of the attribute, **including** the 2 byte header.
All lines below assume that len excludes the header, so lenp is 2 byte too long
and h->in_pos is shifted 2 bytes too far. 

When you call rad_get_attr() for the first time, the returned data is just 2
bytes to long (unless there is only 1 attribute, in which case you get a
"Malformed attribute" error because of the "missing" 2 extra bytes). But: as
h->in_pos is located 2 bytes within the second attribute on return, all
subsequent calls to rad_get_attr() will return garbage.

A possible fix is:

int
rad_get_attr(struct rad_handle *h, const void **value, size_t *lenp)
{
        int len, type;

        if (h->in_pos >= h->in_len)
                return 0;
        if (h->in_pos + 2 > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        type = h->in[h->in_pos];
        len = h->in[h->in_pos + 1];
        if (len < 2 || h->in_pos + len > h->in_len) {
                generr(h, "Malformed attribute in response");
                return -1;
        }
        *lenp = len - 2;
        *value = &h->in[h->in_pos + 2];
        h->in_pos += len;
        return type;
}

The missing piece is: how to properly distribute this fix of the broken CVE
fix?

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Mon May 31 2021 - 09:06:59 UTC

Original text of this message