BUG #19422: Malformed raius packet - Mailing list pgsql-bugs

The following bug has been logged on the website:

Bug reference:      19422
Logged by:          Stanislav Osipov
Email address:      stasos24@gmail.com
PostgreSQL version: 18.3
Operating system:   Ubuntu 22
Description:

User can create malformed radius packet by sending username, which length is
>253
This is would lead to overwriting raidius attributes without causing
security consequences

Due to calling radius_add_attribute at PerformRadiusTransaction:
[https://github.com/postgres/postgres/blob/386ca3908de28dd882a62b8f97a329db07b23138/src/backend/libpq/auth.c#L3012]

radius_add_attribute(packet, RADIUS_USER_NAME, (const unsigned char *)
user_name, strlen(user_name));
[https://github.com/postgres/postgres/blob/386ca3908de28dd882a62b8f97a329db07b23138/src/backend/libpq/auth.c#L2828]
{...
        attr = (radius_attribute *) ((unsigned char *) packet +
packet->length);
        attr->attribute = type;
        attr->length = len + 2;         /* total size includes type and
length */
        memcpy(attr->data, data, len);
        packet->length += attr->length;
}

User may overflow attr->length (uint8) by sending user_name with length of
254 that would led to overwriting user_name attribute and to incorrect
computation of packet->length by next call of radius_add_attribute
[https://github.com/postgres/postgres/blob/386ca3908de28dd882a62b8f97a329db07b23138/src/backend/libpq/auth.c#L3013]
Even though it overflows only in bounds of array, it may have negative
affect in the future.