From d103d2f2f37e2efa614b31052a9d4e51900a82bd Mon Sep 17 00:00:00 2001 From: millert Date: Thu, 2 Mar 2023 16:13:57 +0000 Subject: [PATCH] rad_recv: verify length field in received auth_hdr_t before using it. Reported by Peter J. Philipp. OK deraadt@ --- libexec/login_radius/raddauth.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libexec/login_radius/raddauth.c b/libexec/login_radius/raddauth.c index fe92fc12937..3d3a679618b 100644 --- a/libexec/login_radius/raddauth.c +++ b/libexec/login_radius/raddauth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raddauth.c,v 1.30 2019/06/28 13:32:53 deraadt Exp $ */ +/* $OpenBSD: raddauth.c,v 1.31 2023/03/02 16:13:57 millert Exp $ */ /*- * Copyright (c) 1996, 1997 Berkeley Software Design, Inc. All rights reserved. @@ -451,17 +451,21 @@ rad_recv(char *state, char *challenge, u_char *req_vector) struct sockaddr_in sin; u_char recv_vector[AUTH_VECTOR_LEN], test_vector[AUTH_VECTOR_LEN]; MD5_CTX context; + ssize_t total_length; salen = sizeof(sin); alarm(timeout); - if ((recvfrom(sockfd, &auth, sizeof(auth), 0, - (struct sockaddr *)&sin, &salen)) < AUTH_HDR_LEN) { + total_length = recvfrom(sockfd, &auth, sizeof(auth), 0, + (struct sockaddr *)&sin, &salen); + alarm(0); + if (total_length < AUTH_HDR_LEN) { if (timedout) return(-1); errx(1, "bogus auth packet from server"); } - alarm(0); + if (ntohs(auth.length) > total_length) + errx(1, "bogus auth packet from server"); if (sin.sin_addr.s_addr != auth_server) errx(1, "bogus authentication server"); -- 2.20.1