X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Flib%2Fradius.c;fp=src%2Flib%2Fradius.c;h=81a8066d58ea14acd6012c48711461ea42adedc3;hb=6726c16549b131ed39f6f8886cdf5d9d922a9a97;hp=180b006b85c1d011090e290cae1eade1f50f8f71;hpb=4b059296e14b6ab75dc17163077490528a819806;p=freeradius.git

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 180b006..81a8066 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -2952,16 +2952,23 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx,
 	 *	don't care about walking off of the end of it.
 	 */
 	while (ptr < end) {
+		if (ptr[1] < 2) return -1;
+		if ((ptr + ptr[1]) > end) return -1;
+
 		total += ptr[1] - 2;
 
 		ptr += ptr[1];
 
+		if (ptr == end) break;
+
 		/*
 		 *	Attributes MUST be consecutive.
 		 */
 		if (ptr[0] != attr) break;
 	}
 
+	end = ptr;
+
 	vp = fr_pair_afrom_da(ctx, da);
 	if (!vp) return -1;
 
@@ -2974,7 +2981,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx,
 
 	total = 0;
 	ptr = start;
-	while (total < vp->vp_length) {
+	while (ptr < end) {
 		memcpy(p, ptr + 2, ptr[1] - 2);
 		p += ptr[1] - 2;
 		total += ptr[1] - 2;
@@ -2982,6 +2989,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx,
 	}
 
 	*pvp = vp;
+
 	return ptr - start;
 }