1 From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Sat, 2 May 2015 19:26:06 +0300
4 Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
7 The remaining number of bytes in the message could be smaller than the
8 Total-Length field size, so the length needs to be explicitly checked
9 prior to reading the field and decrementing the len variable. This could
10 have resulted in the remaining length becoming negative and interpreted
11 as a huge positive integer.
13 In addition, check that there is no already started fragment in progress
14 before allocating a new buffer for reassembling fragments. This avoid a
15 potential memory leak when processing invalid message.
17 Signed-off-by: Jouni Malinen <j@w1.fi>
19 src/eap_server/eap_server_pwd.c | 10 ++++++++++
20 1 file changed, 10 insertions(+)
22 diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
23 index 3189105..2bfc3c2 100644
24 --- a/src/eap_server/eap_server_pwd.c
25 +++ b/src/eap_server/eap_server_pwd.c
26 @@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
27 * the first fragment has a total length
29 if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
31 + wpa_printf(MSG_DEBUG,
32 + "EAP-pwd: Frame too short to contain Total-Length field");
35 tot_len = WPA_GET_BE16(pos);
36 wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
37 "length = %d", tot_len);
41 + wpa_printf(MSG_DEBUG,
42 + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
45 data->inbuf = wpabuf_alloc(tot_len);
46 if (data->inbuf == NULL) {
47 wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
projects / 15.05 / openwrt.git / blob