bounds-check packet code before indexing fr_radius_packet_name[]#5879
Open
aizu-m wants to merge 1 commit into
Open
bounds-check packet code before indexing fr_radius_packet_name[]#5879aizu-m wants to merge 1 commit into
aizu-m wants to merge 1 commit into
Conversation
Member
|
We'll double-check and fix things. However, this is really a minor issue. The filter code is read from a local text file. So if you're passing garbage to radclient, that's your choice. |
Author
|
Fair enough on severity, the value does come from a local file you control. The one thing worth flagging: the guard tests reply->code, but the index actually used is filter_code (and packet->code / filter_response_code in the others), so an in-range reply with an out-of-range Packet-Type still indexes past the 53-entry array. Not a trust boundary, agreed, just a guard checking a different variable than the one it is protecting. One-liner each, so I will leave it with you to fold in however you prefer. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fr_radius_packet_name[] has FR_RADIUS_CODE_MAX (53) entries:
Was reading the "Expected %s got %s" mismatch path in radclient. The
validity test guards reply->code, but the index that gets used is
filter_code:
filter_code is taken straight from the request/filter file as a uint32
(Packet-Type, vp->vp_uint32), so it is never range checked. A filter
whose Packet-Type is 200, with any in-range reply, reads 200 entries
into a 53-entry array and hands the result to %s.
recv_one_packet() and radclient-ng client_read() have the same shape.
The radsniff startup banner prints filter_request_code and
filter_response_code (also Packet-Type values), guarded only against
zero.
Each guard now validates the code that is actually used as the index.
Behaviour is unchanged for valid codes; out-of-range codes fall through
to the numeric branch, or to "unknown" in the radsniff banner.