From: hannes <hannes>
Date: Sun, 25 Jan 2004 09:31:14 +0000 (+0000)
Subject: from Jonathan Heusser <jonny@drugphish.ch>: bugfix missing boundary checks
X-Git-Tag: tcpdump-3.9.1~488
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/2b4d0e9e94a8bc1dbf4ed573f0d556318cba1219

from Jonathan Heusser <jonny@drugphish.ch>: bugfix missing boundary checks
---

diff --git a/print-radius.c b/print-radius.c
index d388a8f1..a99d036d 100644
--- a/print-radius.c
+++ b/print-radius.c
@@ -44,7 +44,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "$Id: print-radius.c,v 1.24 2004-01-07 08:00:52 hannes Exp $";
+    "$Id: print-radius.c,v 1.25 2004-01-25 09:31:14 hannes Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -507,9 +507,16 @@ print_vendor_attr(register u_char *data, u_int length, u_short attr_code _U_)
            vendor_id);
 
     while (length >= 2) {
+	if(!TTEST2(*data, 2)) 
+		return;
+
         vendor_type = *(data);
         vendor_length = *(data+1);
+
         data+=2;
+	if(!TTEST2(*data, vendor_length))
+		return;
+
         printf("\n\t    Vendor Attribute: %u, Length: %u, Value: ",
                vendor_type,
                vendor_length);
@@ -803,14 +810,14 @@ radius_attr_print(register const u_char *attr, u_int length)
 
    while (length > 0)
    {
-     if (rad_attr->len == 0)
+     if (rad_attr->len == 0 && rad_attr->type < (TAM_SIZE(attr_type)-1))
      {
 	printf("\n\t  %s Attribute (%u), zero-length",
                attr_type[rad_attr->type].name,
                rad_attr->type);
 	return;
      }
-     if ( rad_attr->len <= length )
+     if ( rad_attr->len <= length && rad_attr->type < (TAM_SIZE(attr_type)-1))
      {
          printf("\n\t  %s Attribute (%u), length: %u, Value: ",
                 attr_type[rad_attr->type].name,
@@ -834,7 +841,7 @@ radius_attr_print(register const u_char *attr, u_int length)
         return;
      }
      /* do we want to see an additionally hexdump ? */
-     if (vflag> 1)
+     if (vflag> 1 && rad_attr->len >= 2)
          print_unknown_data((char *)rad_attr+2,"\n\t    ",(rad_attr->len)-2);
 
      length-=(rad_attr->len);