package/network/services/hostapd/patches/006-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch

   1 From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
   2 From: Jouni Malinen <j@w1.fi>
   3 Date: Sat, 2 May 2015 19:23:04 +0300
   4 Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
   5  reassembly
   6
   7 The remaining number of bytes in the message could be smaller than the
   8 Total-Length field size, so the length needs to be explicitly checked
   9 prior to reading the field and decrementing the len variable. This could
  10 have resulted in the remaining length becoming negative and interpreted
  11 as a huge positive integer.
  12
  13 In addition, check that there is no already started fragment in progress
  14 before allocating a new buffer for reassembling fragments. This avoid a
  15 potential memory leak when processing invalid message.
  16
  17 Signed-off-by: Jouni Malinen <j@w1.fi>
  18 ---
  19  src/eap_peer/eap_pwd.c | 12 ++++++++++++
  20  1 file changed, 12 insertions(+)
  21
  22 diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
  23 index a629437..1d2079b 100644
  24 --- a/src/eap_peer/eap_pwd.c
  25 +++ b/src/eap_peer/eap_pwd.c
  26 @@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
  27          * if it's the first fragment there'll be a length field
  28          */
  29         if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
  30 +               if (len < 2) {
  31 +                       wpa_printf(MSG_DEBUG,
  32 +                                  "EAP-pwd: Frame too short to contain Total-Length field");
  33 +                       ret->ignore = TRUE;
  34 +                       return NULL;
  35 +               }
  36                 tot_len = WPA_GET_BE16(pos);
  37                 wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
  38                            "total length = %d", tot_len);
  39                 if (tot_len > 15000)
  40                         return NULL;
  41 +               if (data->inbuf) {
  42 +                       wpa_printf(MSG_DEBUG,
  43 +                                  "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
  44 +                       ret->ignore = TRUE;
  45 +                       return NULL;
  46 +               }
  47                 data->inbuf = wpabuf_alloc(tot_len);
  48                 if (data->inbuf == NULL) {
  49                         wpa_printf(MSG_INFO, "Out of memory to buffer "
  50 --
  51 1.9.1
  52