The following patch should fix the problem, can you try it out?
- todd
Index: libexec/login_radius/raddauth.c
===================================================================
RCS file: /cvs/src/libexec/login_radius/raddauth.c,v
retrieving revision 1.30
diff -u -p -u -r1.30 raddauth.c
--- libexec/login_radius/raddauth.c 28 Jun 2019 13:32:53 -0000 1.30
+++ libexec/login_radius/raddauth.c 2 Mar 2023 15:54:18 -0000
@@ -451,17 +451,21 @@ rad_recv(char *state, char *challenge, u
struct sockaddr_in sin;
u_char recv_vector[AUTH_VECTOR_LEN], test_vector[AUTH_VECTOR_LEN];
MD5_CTX context;
+ ssize_t total_length;
salen = sizeof(sin);
alarm(timeout);
- if ((recvfrom(sockfd, &auth, sizeof(auth), 0,
- (struct sockaddr *)&sin, &salen)) < AUTH_HDR_LEN) {
+ total_length = recvfrom(sockfd, &auth, sizeof(auth), 0,
+ (struct sockaddr *)&sin, &salen);
+ alarm(0);
+ if (total_length < AUTH_HDR_LEN) {
if (timedout)
return(-1);
errx(1, "bogus auth packet from server");
}
- alarm(0);
+ if (auth.length > total_length)
+ errx(1, "bogus auth packet from server");
if (sin.sin_addr.s_addr != auth_server)
errx(1, "bogus authentication server");
