[tac_plus] Cisco VPN 3000

[John Payne]

I'm getting the feeling I'm the only one using the NAC_address  
(connect_origin) field regularly, as neither Juniper nor Force10  
populate it :(

Anyhoo.  With the VPN 3000, I'm noticing that identity->NAC_address  
is getting 3 extra characters appended.  I suspect it's because  
rem_addr_len is off-by-3, but as it hasn't otherwise affected  
operation, I'm not sure if this is a potential crash waiting to happen.

As I know that all my device that do send connect_origin are going to  
be IP addresses, I think I can work around this.... but it does draw  
my attention to the lack of data validation in do_start(), for example:

     identity.NAC_address = tac_make_string(p, (int)start- 
 >rem_addr_len);
     p += start->rem_addr_len;
...
     bcopy(p, authen_data.client_data, start->data_len);

If rem_addr_len is wrong, isn't it possible for client_data to now  
contain data from uninitialized memory (past the "end" of pak)?