Re: BUG #19422: Malformed raius packet

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Michael Paquier <[email protected]>
To: [email protected]
To: [email protected]
Subject: Re: BUG #19422: Malformed raius packet
Date: Tue, 3 Mar 2026 16:20:37 +0900
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

On Mon, Mar 02, 2026 at 09:04:14AM +0000, PG Bug reporting form wrote:
> User may overflow attr->length (uint8) by sending user_name with length of
> 254 that would led to overwriting user_name attribute and to incorrect
> computation of packet->length by next call of radius_add_attribute
> [https://github.com/postgres/postgres/blob/386ca3908de28dd882a62b8f97a329db07b23138/src/backend/libpq...]
> Even though it overflows only in bounds of array, it may have negative
> affect in the future.

Fun, due to the increment of 2 added a couple of lines down.  There is
an overflow calculation.  There is nothing critical here.

Looking at RFC 2865, there is nothing about a limit of size for the
attributes.  This means that we are only limited by our
RADIUS_BUFFER_SIZE.  Hence, we could bump radius_attribute.length to
uint16 and add some casts in the check for RADIUS_BUFFER_SIZE so as
we don't overflow the addition before adding an attribute to the
packet?  On the other hand, we could aim for simpler and just reject
any attributes larger than 255 bytes.  I doubt that anybody would be
insane enough to use fields larger than that 255 bytes anyway.  Both
solutions are equal in simplicity here.

Thoughts?
--
Michael

Attachments:

  [application/pgp-signature] signature.asc (833B, 2-signature.asc)
  download

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: BUG #19422: Malformed raius packet
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox