4d2f9d8aefebd43813ba55e5f1152cd2120323ca
[openwrt/staging/nbd.git] /
1 From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Sat, 2 May 2015 19:23:04 +0300
4 Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
5 reassembly
6
7 The remaining number of bytes in the message could be smaller than the
8 Total-Length field size, so the length needs to be explicitly checked
9 prior to reading the field and decrementing the len variable. This could
10 have resulted in the remaining length becoming negative and interpreted
11 as a huge positive integer.
12
13 In addition, check that there is no already started fragment in progress
14 before allocating a new buffer for reassembling fragments. This avoid a
15 potential memory leak when processing invalid message.
16
17 Signed-off-by: Jouni Malinen <j@w1.fi>
18 ---
19 src/eap_peer/eap_pwd.c | 12 ++++++++++++
20 1 file changed, 12 insertions(+)
21
22 diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
23 index a629437..1d2079b 100644
24 --- a/src/eap_peer/eap_pwd.c
25 +++ b/src/eap_peer/eap_pwd.c
26 @@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
27 * if it's the first fragment there'll be a length field
28 */
29 if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
30 + if (len < 2) {
31 + wpa_printf(MSG_DEBUG,
32 + "EAP-pwd: Frame too short to contain Total-Length field");
33 + ret->ignore = TRUE;
34 + return NULL;
35 + }
36 tot_len = WPA_GET_BE16(pos);
37 wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
38 "total length = %d", tot_len);
39 if (tot_len > 15000)
40 return NULL;
41 + if (data->inbuf) {
42 + wpa_printf(MSG_DEBUG,
43 + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
44 + ret->ignore = TRUE;
45 + return NULL;
46 + }
47 data->inbuf = wpabuf_alloc(tot_len);
48 if (data->inbuf == NULL) {
49 wpa_printf(MSG_INFO, "Out of memory to buffer "
50 --
51 1.9.1
52