main/freeradius: security fix (CVE-2014-2015). Fixes #2717

1 files changed, 35 insertions, 0 deletions

diff --git a/main/freeradius/CVE-2014-2015.patch b/main/freeradius/CVE-2014-2015.patch
new file mode 100644
index 0000000000..fbd5ff0833
--- /dev/null
+++ b/main/freeradius/CVE-2014-2015.patch
@@ -0,0 +1,35 @@
+From 0d606cfc29ab2e91764854e733d4525e6c667eb9 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Thu, 13 Feb 2014 09:29:35 -0500
+Subject: [PATCH] Increase buffer size.  Use output buffer size as limit for
+ hex2bin
+
+---
+ src/modules/rlm_pap/rlm_pap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
+index 8ef2152..1492a44 100644
+--- a/src/modules/rlm_pap/rlm_pap.c
++++ b/src/modules/rlm_pap/rlm_pap.c
+@@ -247,7 +247,7 @@ static int base64_decode (const char *src, uint8_t *dst)
+ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ {
+ 	size_t decoded;
+-	uint8_t buffer[64];
++	uint8_t buffer[256];
+ 
+ 	if (min_length >= sizeof(buffer)) return; /* paranoia */
+ 
+@@ -255,7 +255,7 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
+ 	 *	Hex encoding.
+ 	 */
+ 	if (vp->length >= (2 * min_length)) {
+-		decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1);
++		decoded = fr_hex2bin(vp->vp_strvalue, buffer, sizeof(buffer));
+ 		if (decoded == (vp->length >> 1)) {
+ 			RDEBUG2("Normalizing %s from hex encoding", vp->name);
+ 			memcpy(vp->vp_octets, buffer, decoded);
+-- 
+1.8.5.5
+