Skip to content

Commit

Permalink
Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().
Browse files Browse the repository at this point in the history 
Patch by Stephen Röttger.
  • Loading branch information
Linus Nordberg committed Jan 16, 2015
1 parent 42eb3c6 commit 5ca0407
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 0 deletions.
4 changes: 4 additions & 0 deletions dtls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,10 @@ unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) {
}

len = RADLEN(buf);
if (len < 4) {
debug(DBG_ERR, "raddtlsget: length too small");
continue;
}
rad = malloc(len);
if (!rad) {
debug(DBG_ERR, "raddtlsget: malloc failed");
Expand Down
4 changes: 4 additions & 0 deletions tcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,10 @@ unsigned char *radtcpget(int s, int timeout) {
}

len = RADLEN(buf);
if (len < 4) {
debug(DBG_ERR, "radtcpget: length too small");
continue;
}
rad = malloc(len);
if (!rad) {
debug(DBG_ERR, "radtcpget: malloc failed");
Expand Down
4 changes: 4 additions & 0 deletions tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,10 @@ unsigned char *radtlsget(SSL *ssl, int timeout) {
}

len = RADLEN(buf);
if (len < 4) {
debug(DBG_ERR, "radtlsget: length too small");
continue;
}
rad = malloc(len);
if (!rad) {
debug(DBG_ERR, "radtlsget: malloc failed");
Expand Down

0 comments on commit 5ca0407

Please sign in to comment.