Problem Description:
libradius did not perform sufficient validation of received messages.
rad_get_attr(3) did not verify that the attribute length is valid before
subtracting the length of the Type and Length fields. As a result, it
could return success while also providing a bogus length of SIZE_T_MAX -
2 for the Value field.
When processing attributes to find an optional authenticator,
is_valid_response() failed to verify that each attribute length is
non-zero and could thus enter an infinite loop.
Impact:
A server may use libradius(3) to process messages from RADIUS clients.
In this case, a malicious client could trigger a denial-of-service in
the server. A client using libradius(3) to process messages from a
server is susceptible to the same problem.
The impact of the rad_get_attr(3) bug depends on how the returned length
is validated and used by the consumer. It is possible that libradius(3)
applications will crash or enter an infinite loop when calling
rad_get_attr(3) on untrusted RADIUS messages.