if the dictionary has octets[n], then it's invalid for length != n

FreeRADIUS · May 11, 2020 · d11b7df · d11b7df
1 parent ee98012
commit d11b7df
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/src/protocols/radius/decode.c b/src/protocols/radius/decode.c
@@ -1445,8 +1445,14 @@ ssize_t fr_radius_decode_pair_value(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dic
 	vp->tag = tag;
 
 	switch (parent->type) {
-	case FR_TYPE_STRING:
 	case FR_TYPE_OCTETS:
+		/*
+		 *	This attribute SHOULD have fixed size, but it
+		 *	doesn't.  Therefor it's malformed.
+		 */
+		if (parent->flags.length && (data_len != parent->flags.length)) goto raw;
+
+	case FR_TYPE_STRING:
 	case FR_TYPE_IPV4_ADDR:
 	case FR_TYPE_IPV6_ADDR:
 	case FR_TYPE_BOOL:

diff --git a/src/tests/unit/protocols/radius/vendor.txt b/src/tests/unit/protocols/radius/vendor.txt
@@ -65,5 +65,21 @@ match ERX-LI-Action = off
 decode-pair 1a12000080000105abcdef02076161616161
 match Attr-26.32768.1 = 0xabcdef, Attr-26.32768.2 = 0x6161616161
 
+#
+#  This MUST be 50 octets of data
+#
+encode-pair MS-CHAP-Response = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX"
+match 1a 3a 00 00 01 37 01 34 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 58
+
+decode-pair -
+match MS-CHAP-Response = 0x7878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787858
+
+#
+#  And now something which *isn't* 50 octets, but instead 49.
+#  Therefore it's an "invalid attribute", as defined in RFC 6929 Section 2.8.
+#
+decode-pair 1a 39 00 00 01 37 01 33 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78 78
+match Attr-26.311.1 = 0x78787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878
+
 count
-match 37
+match 43