Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().

Patch by Stephen Röttger.
author: Linus Nordberg <linus@nordu.net> 2015-01-16 16:44:04 +0100
committer: Linus Nordberg <linus@nordu.net> 2015-01-16 16:51:14 +0100
commit: 5ca04071b14af6261c797551bcf26a3851ebbae8 (patch)
tree: 1eb8003b5aee3af2278ae505b78f5e213dda4839
parent: 42eb3c67e5ee5e0a0e8b5175a001bc5822c3a919 (diff)
3 files changed, 12 insertions, 0 deletions
diff --git a/dtls.c b/dtls.c
index 8be677e..f866092 100644
--- a/dtls.c
+++ b/dtls.c
@@ -239,6 +239,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) {
         }
 
 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "raddtlsget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "raddtlsget: malloc failed");
diff --git a/tcp.c b/tcp.c
index 6de39fc..515acbf 100644
--- a/tcp.c
+++ b/tcp.c
@@ -173,6 +173,10 @@ unsigned char *radtcpget(int s, int timeout) {
 	}
 
 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "radtcpget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "radtcpget: malloc failed");
diff --git a/tls.c b/tls.c
index 90c3dc9..41defea 100644
--- a/tls.c
+++ b/tls.c
@@ -220,6 +220,10 @@ unsigned char *radtlsget(SSL *ssl, int timeout) {
 	}
 
 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "radtlsget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "radtlsget: malloc failed");
author	Linus Nordberg <linus@nordu.net>	2015-01-16 16:44:04 +0100
committer	Linus Nordberg <linus@nordu.net>	2015-01-16 16:51:14 +0100
commit	5ca04071b14af6261c797551bcf26a3851ebbae8 (patch)
tree	1eb8003b5aee3af2278ae505b78f5e213dda4839
parent	42eb3c67e5ee5e0a0e8b5175a001bc5822c3a919 (diff)