scottk/wlan-ap
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-10-30 01:52:51 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

radius-gw-proxy: fix possible memory corruption

Browse Source 
Fixes: WIFI-10964
Signed-off-by: John Crispin <john@phrozen.org>
This commit is contained in:
John Crispin
2022-11-21 14:58:16 +01:00
parent daadf043d8
commit d9815c0f62
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
feeds/ucentral/radius-gw-proxy/src/main.c
View File

@@ -152,13 +152,13 @@ radius_forward_gw(char *buf, enum socket_type type)
}
static int
radius_parse(char *buf, int len, int port, enum socket_type type, int tx)
radius_parse(char *buf, unsigned int len, int port, enum socket_type type, int tx)
{
struct radius_header *hdr = (struct radius_header *) buf;
struct radius_tlv *proxy_state = NULL;
char proxy_state_str[256] = {};
void *avp = hdr->avp;
int len_orig = ntohs(hdr->len);
unsigned int len_orig = ntohs(hdr->len);
uint8_t localhost[] = { 0x7f, 0, 0, 1 };
if (len_orig != len) {
@@ -170,10 +170,10 @@ radius_parse(char *buf, int len, int port, enum socket_type type, int tx)
len -= sizeof(*hdr);
while (len > 1) {
while (len >= sizeof(struct radius_tlv)) {
struct radius_tlv *tlv = (struct radius_tlv *)avp;
if (len < tlv->len) {
if (len < tlv->len || tlv->len < sizeof(*tlv)) {
ULOG_ERR("invalid TLV length\n");
return -1;
}
@@ -312,7 +312,7 @@ sock_recv(struct uloop_fd *u, unsigned int events)
inet_ntop(AF_INET, &sin.sin_addr, addr_str, sizeof(addr_str));
printf("RX: src:%s:%d, len=%d\n", addr_str, sin.sin_port, len);
radius_parse(buf, len, sin.sin_port, sock->type, 1);
radius_parse(buf, (unsigned int)len, sin.sin_port, sock->type, 1);
} while (1);
}