From efe61fa48e6a6d8a36f2ae6ebba6f50ad7eb0a61 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 6 Jan 2015 10:58:05 +0100
Subject: [PATCH] radius: added safety checks in the parsing of
 Framed-IPv6-Prefix

---
 src/auth/radius.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/auth/radius.c b/src/auth/radius.c
index c8539cfd..95dd22f1 100644
--- a/src/auth/radius.c
+++ b/src/auth/radius.c
@@ -217,13 +217,14 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
 					strlcpy(pctx->ipv6_net, pctx->ipv6, sizeof(pctx->ipv6_net));
 				}
 			} else if (vp->attribute == PW_FRAMED_IPV6_PREFIX && vp->type == PW_TYPE_IPV6PREFIX) {
-
-				/* Framed-IPv6-Prefix */
-				memset(ipv6, 0, sizeof(ipv6)); 
-				memcpy(ipv6, vp->strvalue+2, vp->lvalue-2); 
-				if (inet_ntop(AF_INET6, ip, txt, sizeof(txt)) != NULL) {
-					snprintf(route, sizeof(route), "%s/%u", txt, (unsigned)(unsigned char)vp->strvalue[1]);
-					append_route(pctx, vp->strvalue, vp->lvalue);
+				if (vp->lvalue > 2 && vp->lvalue <= 18) {
+					/* Framed-IPv6-Prefix */
+					memset(ipv6, 0, sizeof(ipv6)); 
+					memcpy(ipv6, vp->strvalue+2, vp->lvalue-2); 
+					if (inet_ntop(AF_INET6, ip, txt, sizeof(txt)) != NULL) {
+						snprintf(route, sizeof(route), "%s/%u", txt, (unsigned)(unsigned char)vp->strvalue[1]);
+						append_route(pctx, vp->strvalue, vp->lvalue);
+					}
 				}
 			} else if (vp->attribute == PW_DNS_SERVER_IPV6_ADDRESS && vp->type == PW_TYPE_IPV6ADDR) {
 				/* DNS-Server-IPv6-Address */