Out-of-bounds write in data2vp_wimax() when sending WiMAX attributes which have the "continuation" flag set, but for which there is no subsequent data was found. The security impact is possible remote code exectuion by anyone who can send packets which are accepted by the server. Affected versions: 3.0.0 through 3.0.14, inclusive.
Acknowledgments: Name: the FreeRADIUS project Upstream: Guido Vranken
Created attachment 1295272 [details] Proposed patch 1/2
Created attachment 1295273 [details] Proposed patch 2/2
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1471861]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2389 https://access.redhat.com/errata/RHSA-2017:2389
External References: http://freeradius.org/security/fuzzer-2017.html