More checks on attr length

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 053b1a2..287b92f 100644 (file)
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -3124,7 +3124,7 @@ ssize_t rad_attr2vp_raw(const RADIUS_PACKET *packet,
 {
        ssize_t my_len;
 
-       if ((data[1] < 2) || (data[1] > length)) {
+       if ((length < 2) || (data[1] < 2) || (data[1] > length)) {
                fr_strerror_printf("rad_attr2vp_raw: Invalid length");
                return -1;
        }