Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().

Patch by Stephen Röttger.
author: Linus Nordberg <linus@nordu.net> 2015-01-16 16:44:04 +0100
committer: Linus Nordberg <linus@nordu.net> 2015-01-16 16:44:04 +0100
commit: f7835d0dcba27559b04f4f6faad26a7a19e3c3f0 (patch)
tree: 0f791a811a2f5a5d7d49d35ef9c0c87efb0db189 /dtls.c
parent: 47a7af88884c9887cbe0fc19da8d8d237e1b9054 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/dtls.c b/dtls.c
index 2586b8f..8f8c90a 100644
--- a/dtls.c
+++ b/dtls.c
@@ -235,6 +235,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) {
         }
 
 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "raddtlsget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "raddtlsget: malloc failed");
author	Linus Nordberg <linus@nordu.net>	2015-01-16 16:44:04 +0100
committer	Linus Nordberg <linus@nordu.net>	2015-01-16 16:44:04 +0100
commit	f7835d0dcba27559b04f4f6faad26a7a19e3c3f0 (patch)
tree	0f791a811a2f5a5d7d49d35ef9c0c87efb0db189 /dtls.c
parent	47a7af88884c9887cbe0fc19da8d8d237e1b9054 (diff)