diff options
author | Linus Nordberg <linus@nordu.net> | 2015-01-16 16:44:04 +0100 |
---|---|---|
committer | Linus Nordberg <linus@nordu.net> | 2015-01-16 16:44:04 +0100 |
commit | f7835d0dcba27559b04f4f6faad26a7a19e3c3f0 (patch) | |
tree | 0f791a811a2f5a5d7d49d35ef9c0c87efb0db189 | |
parent | 47a7af88884c9887cbe0fc19da8d8d237e1b9054 (diff) |
Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().
Patch by Stephen Röttger.
-rw-r--r-- | dtls.c | 4 | ||||
-rw-r--r-- | tcp.c | 4 | ||||
-rw-r--r-- | tls.c | 4 |
3 files changed, 12 insertions, 0 deletions
@@ -235,6 +235,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) { } len = RADLEN(buf); + if (len < 4) { + debug(DBG_ERR, "raddtlsget: length too small"); + continue; + } rad = malloc(len); if (!rad) { debug(DBG_ERR, "raddtlsget: malloc failed"); @@ -169,6 +169,10 @@ unsigned char *radtcpget(int s, int timeout) { } len = RADLEN(buf); + if (len < 4) { + debug(DBG_ERR, "radtcpget: length too small"); + continue; + } rad = malloc(len); if (!rad) { debug(DBG_ERR, "radtcpget: malloc failed"); @@ -216,6 +216,10 @@ unsigned char *radtlsget(SSL *ssl, int timeout) { } len = RADLEN(buf); + if (len < 4) { + debug(DBG_ERR, "radtlsget: length too small"); + continue; + } rad = malloc(len); if (!rad) { debug(DBG_ERR, "radtlsget: malloc failed"); |