The rad_coalesce() function checks for WiMAX attributes which are too small, but it does not check for WiMAX attributes which are too large. As a result, the server can be convinced to read past the end of an attribute, and to write past the end of memory allocated via malloc(). The data being copied is taken from the attributes following the malformed WiMAX attribute, and is under the control of the attacker. While the packet has to be a "well formed" RADIUS packet, that requirement limits only the two octets which immediately follow the malformed WiMAX attribute. After that, there are up to 245 octets copied which are the complete control of the attacker. The issue happens when the server receives any packet containing malformed WiMAX attributes, potentially leading to remote code execution. Affected versions: 2.0.0 through 2.2.9, inclusive.
Acknowledgments: Name: the FreeRADIUS project Upstream: Guido Vranken
Created attachment 1295281 [details] Proposed patch
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1471850]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1759 https://access.redhat.com/errata/RHSA-2017:1759
External References: http://freeradius.org/security/fuzzer-2017.html