Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().

Patch by Stephen Röttger.

Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().
Patch by Stephen Röttger.
5ca04071 · Linus Nordberg · 42eb3c67 · 5ca04071 · 5ca04071 · 5ca04071
Commit 5ca04071 authored Jan 16, 2015 by Linus Nordberg
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

dtls.c dtls.c +4 -0

tcp.c tcp.c +4 -0

tls.c tls.c +4 -0

No files found.
--- a/dtls.c
+++ b/dtls.c
@@ -239,6 +239,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) {
        }

 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "raddtlsget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "raddtlsget: malloc failed");

--- a/tcp.c
+++ b/tcp.c
@@ -173,6 +173,10 @@ unsigned char *radtcpget(int s, int timeout) {
 	}

 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "radtcpget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "radtcpget: malloc failed");

--- a/tls.c
+++ b/tls.c
@@ -220,6 +220,10 @@ unsigned char *radtlsget(SSL *ssl, int timeout) {
 	}

 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "radtlsget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "radtlsget: malloc failed");