Hi Roberto,
Here's the diff I used in the 1.2.5-2.4 NMU.
Cheers,
Thijs
diff -u php-radius-1.2.5/radius-1.2.5/radius.c php-radius-1.2.5/radius-1.2.5/radius.c
--- php-radius-1.2.5/radius-1.2.5/radius.c
+++ php-radius-1.2.5/radius-1.2.5/radius.c
@@ -541,23 +541,24 @@
/* {{{ proto string radius_get_vendor_attr(data) */
PHP_FUNCTION(radius_get_vendor_attr)
{
- int res, vendor;
- const void *data;
+ int vendor;
+ const void *data, *raw;
size_t len;
+ unsigned char type;
+ size_t data_len;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &data, &len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &raw, &len) == FAILURE) {
return;
}
- res = rad_get_vendor_attr(&vendor, &data, &len);
- if (res == -1) {
+ if (rad_get_vendor_attr(&vendor, &type, &data, &data_len, raw, len) == -1) {
RETURN_FALSE;
} else {
array_init(return_value);
- add_assoc_long(return_value, "attr", res);
+ add_assoc_long(return_value, "attr", type);
add_assoc_long(return_value, "vendor", vendor);
- add_assoc_stringl(return_value, "data", (char *) data, len, 1);
+ add_assoc_stringl(return_value, "data", (char *) data, data_len, 1);
return;
}
}
diff -u php-radius-1.2.5/debian/changelog php-radius-1.2.5/debian/changelog
--- php-radius-1.2.5/debian/changelog
+++ php-radius-1.2.5/debian/changelog
@@ -1,3 +1,11 @@
+php-radius (1.2.5-2.4) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix security issue in radius_get_vendor_attr()
+ (CVE-2013-2220, closes: #714362)
+
+ -- Thijs Kinkhorst <th...@debian.org> Thu, 25 Jul 2013 14:28:53 +0200
+
php-radius (1.2.5-2.3) unstable; urgency=high
* Non-maintainer upload.
only in patch2:
unchanged:
--- php-radius-1.2.5.orig/radius-1.2.5/radlib.c
+++ php-radius-1.2.5/radius-1.2.5/radlib.c
@@ -898,15 +898,24 @@
}
int
-rad_get_vendor_attr(u_int32_t *vendor, const void **data, size_t *len)
+rad_get_vendor_attr(u_int32_t *vendor, unsigned char *type, const void **data, size_t *len, const void *raw, size_t raw_len)
{
struct vendor_attribute *attr;
- attr = (struct vendor_attribute *)*data;
+ if (raw_len < sizeof(struct vendor_attribute)) {
+ return -1;
+ }
+
+ attr = (struct vendor_attribute *) raw;
*vendor = ntohl(attr->vendor_value);
+ *type = attr->attrib_type;
*data = attr->attrib_data;
*len = attr->attrib_len - 2;
+ if ((attr->attrib_len + 4) > raw_len) {
+ return -1;
+ }
+
return (attr->attrib_type);
}
only in patch2:
unchanged:
--- php-radius-1.2.5.orig/radius-1.2.5/radlib_vs.h
+++ php-radius-1.2.5/radius-1.2.5/radlib_vs.h
@@ -74,7 +74,7 @@
struct rad_handle;
-int rad_get_vendor_attr(u_int32_t *, const void **, size_t *);
+int rad_get_vendor_attr(u_int32_t *, unsigned char *, const void **, size_t *, const void *, size_t);
int rad_put_vendor_addr(struct rad_handle *, int, int, struct in_addr);
int rad_put_vendor_attr(struct rad_handle *, int, int, const void *,
size_t);
