File 0004-EAP-pwd-server-Fix-Total-Length-parsing-fo... of Package wpa_supplicant

Overview Repositories Revisions Requests Users Attributes Meta

File 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch of Package wpa_supplicant

From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 2 May 2015 19:26:06 +0300
Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
 reassembly

The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

Signed-off-by: Jouni Malinen <j@w1.fi>
================================================================================
--- wpa_supplicant-2.2/src/eap_server/eap_server_pwd.c
+++ wpa_supplicant-2.2/src/eap_server/eap_server_pwd.c
@@ -916,9 +916,21 @@
 	 * the first fragment has a total length
 	 */
 	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+		if (len < 2) {
+			wpa_printf(MSG_DEBUG,
+				"EAP-pwd: Frame too short to contain Total-Length field");
+			return;
+		}
 		tot_len = WPA_GET_BE16(pos);
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
 			   "length = %d", tot_len);
+		if (tot_len > 15000)
+			return;
+		if (data->inbuf) {
+			wpa_printf(MSG_DEBUG,
+				"EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+			return;
+		}
 		data->inbuf = wpabuf_alloc(tot_len);
 		if (data->inbuf == NULL) {
 			wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "

Places

File 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch of Package wpa_supplicant

Places