From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 4 Jul 2017 14:12:09 +0000 (-0400)
Subject: FR-GV-201 - check input / output length in make_secret()
X-Git-Tag: release_3_0_15~17
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=freeradius.git;a=commitdiff_plain;h=fc8662d7e827f630d515eaa0bddfa94754c8047f

FR-GV-201 - check input / output length in make_secret()
---

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 245b86c..23e5763 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -542,17 +542,17 @@ static ssize_t rad_recvfrom(int sockfd, RADIUS_PACKET *packet, int flags,
  * encrypting passwords to RADIUS.
  */
 static void make_secret(uint8_t *digest, uint8_t const *vector,
-			char const *secret, uint8_t const *value)
+			char const *secret, uint8_t const *value, size_t length)
 {
 	FR_MD5_CTX context;
-	int	     i;
+	size_t	     i;
 
 	fr_md5_init(&context);
 	fr_md5_update(&context, vector, AUTH_VECTOR_LEN);
 	fr_md5_update(&context, (uint8_t const *) secret, strlen(secret));
 	fr_md5_final(digest, &context);
 
-	for ( i = 0; i < AUTH_VECTOR_LEN; i++ ) {
+	for ( i = 0; i < length; i++ ) {
 		digest[i] ^= value[i];
 	}
 }
@@ -1010,8 +1010,8 @@ static ssize_t vp2data_any(RADIUS_PACKET const *packet,
 		 *	always fits.
 		 */
 	case FLAG_ENCRYPT_ASCEND_SECRET:
-		if (len != 16) return 0;
-		make_secret(ptr, packet->vector, secret, data);
+		if (len > AUTH_VECTOR_LEN) len = AUTH_VECTOR_LEN;
+		make_secret(ptr, packet->vector, secret, data, len);
 		len = AUTH_VECTOR_LEN;
 		break;
 
@@ -3605,9 +3605,14 @@ ssize_t data2vp(TALLOC_CTX *ctx,
 				goto raw;
 			} else {
 				uint8_t my_digest[AUTH_VECTOR_LEN];
+				size_t secret_len;
+
+				secret_len = datalen;
+				if (secret_len > AUTH_VECTOR_LEN) secret_len = AUTH_VECTOR_LEN;
+
 				make_secret(my_digest,
 					    original->vector,
-					    secret, data);
+					    secret, data, secret_len);
 				memcpy(buffer, my_digest,
 				       AUTH_VECTOR_LEN );
 				buffer[AUTH_VECTOR_LEN] = '\0';