freeradius-server/freeradius-server-snprintf-overflow.patch

Index: freeradius-server-2.1.11/src/modules/rlm_mschap/rlm_mschap.c
===================================================================
--- freeradius-server-2.1.11.orig/src/modules/rlm_mschap/rlm_mschap.c
+++ freeradius-server-2.1.11/src/modules/rlm_mschap/rlm_mschap.c
@@ -1251,10 +1251,10 @@ static int mschap_authenticate(void * in
 				 inst->allow_retry);
 
 			if (inst->retry_msg) {
-				snprintf(buffer + 9, sizeof(buffer), " C=");
+				snprintf(buffer + 9, sizeof(buffer) - 9, " C=");
 				for (i = 0; i < 16; i++) {
 					snprintf(buffer + 12 + i*2,
-						 sizeof(buffer), "%02x",
+						 sizeof(buffer) - 12 - i*2, "%02x",
 						 fr_rand() & 0xff);
 				}
 				snprintf(buffer + 12 + 32, sizeof(buffer) - 45,
update to 2.1.11 OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=32 2011-06-24 13:29:48 +02:00			`Index: freeradius-server-2.1.11/src/modules/rlm_mschap/rlm_mschap.c`
			`===================================================================`
			`--- freeradius-server-2.1.11.orig/src/modules/rlm_mschap/rlm_mschap.c`
			`+++ freeradius-server-2.1.11/src/modules/rlm_mschap/rlm_mschap.c`
			`@@ -1251,10 +1251,10 @@ static int mschap_authenticate(void * in`
			`inst->allow_retry);`

			`if (inst->retry_msg) {`
			`- snprintf(buffer + 9, sizeof(buffer), " C=");`
			`+ snprintf(buffer + 9, sizeof(buffer) - 9, " C=");`
			`for (i = 0; i < 16; i++) {`
			`snprintf(buffer + 12 + i*2,`
			`- sizeof(buffer), "%02x",`
			`+ sizeof(buffer) - 12 - i*2, "%02x",`
			`fr_rand() & 0xff);`
			`}`
			`snprintf(buffer + 12 + 32, sizeof(buffer) - 45,`