1From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001 2From: "Alan T. DeKok" <aland@freeradius.org> 3Date: Mon, 28 Feb 2022 10:34:15 -0500 4Subject: [PATCH] manual port of commit 5906bfa1 5 6CVE: CVE-2022-41861 7 8Upstream-Status: Backport 9[https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62] 10 11Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 12--- 13 src/lib/filters.c | 12 +++++++++--- 14 1 file changed, 9 insertions(+), 3 deletions(-) 15 16diff --git a/src/lib/filters.c b/src/lib/filters.c 17index 4868cd385d..3f3b63daee 100644 18--- a/src/lib/filters.c 19+++ b/src/lib/filters.c 20@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in 21 } 22 } 23 } else if (filter->type == RAD_FILTER_GENERIC) { 24- int count; 25+ size_t count, masklen; 26+ 27+ masklen = ntohs(filter->u.generic.len); 28+ if (masklen >= sizeof(filter->u.generic.mask)) { 29+ *p = '\0'; 30+ return; 31+ } 32 33 i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset)); 34 p += i; 35 36 /* show the mask */ 37- for (count = 0; count < ntohs(filter->u.generic.len); count++) { 38+ for (count = 0; count < masklen; count++) { 39 i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]); 40 p += i; 41 outlen -= i; 42@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in 43 outlen--; 44 45 /* show the value */ 46- for (count = 0; count < ntohs(filter->u.generic.len); count++) { 47+ for (count = 0; count < masklen; count++) { 48 i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]); 49 p += i; 50 outlen -= i; 51-- 522.25.1 53 54