An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet.
The make_secret() function does not properly check for output buffer size before writing data. It can perform a read or write overflow of up to 16 octets.
The issue can happen when when the server is sending a RADIUS packet that is almost at the maximum (4K octets), and the last attribute in the packet is an Ascend-Send-Secret (or similar) attribute. The data being written is an MD5 digest of the shared secret, concatenated to data which is under the attackers control.
This issue can also happen when receiving a packet that has an Ascend-Send-Secret (or similar) attribute of the wrong size. The server will read data past the end of the attribute, up to a limit of 16 octets.
The security impact is denial of service by anyone who can send packets which are accepted by the server.
Affected versions: 2.0.0 through 3.0.14, inclusive.