From 5ca04071b14af6261c797551bcf26a3851ebbae8 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordu.net>
Date: Fri, 16 Jan 2015 16:44:04 +0100
Subject: Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Stephen Röttger.
---
 dtls.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'dtls.c')

diff --git a/dtls.c b/dtls.c
index 8be677e..f866092 100644
--- a/dtls.c
+++ b/dtls.c
@@ -239,6 +239,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) {
         }
 
 	len = RADLEN(buf);
+	if (len < 4) {
+	    debug(DBG_ERR, "raddtlsget: length too small");
+	    continue;
+	}
 	rad = malloc(len);
 	if (!rad) {
 	    debug(DBG_ERR, "raddtlsget: malloc failed");
-- 
cgit v1.1