On 2/10/24 08:38, Peter J. Philipp wrote:
Hi,
I'd like you to just quickly look at the following to files:
/usr/src/lib/libradius/radius.c
61 for (; attr < end; ATTRS_ADVANCE(attr)) {
62 if (attr->length < 2)
63 return (-1);
and it's header file
/usr/lib/lib/libradius/radius_local.h
68 #define ATTRS_NEXT(x) ((RADIUS_ATTRIBUTE*)(((char*)x) + x->length))
69
70 /*
71 * must be expression rather than statement
72 * to be used in third expression of for statement.
73 */
74 #define ATTRS_ADVANCE(x) (x = ATTRS_NEXT(x))
If a packet manages to point beyond "end" pointer, attr->length is accessed
right? This could result in some signal being delivered to the process?
Hi, I think I made a mistake. if attr is on (end - 1) then length is at
(end) which is still malloc'ed.
Best Regards,
-peter
--
Over thirty years experience on UNIX-like Operating Systems starting with QNX.
