45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
From 87fcb5a735f0deb2c7528e363f27c09d2e501ba3 Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <j@w1.fi>
|
|
Date: Sat, 2 May 2015 18:18:51 +0300
|
|
Subject: [PATCH] EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length
|
|
validation
|
|
|
|
The req_plen argument to eap_pax_process_std_1() and
|
|
eap_pax_process_std_3() could be smaller than sizeof(struct eap_pax_hdr)
|
|
since the main processing function was only verifying that there is
|
|
enough room for the ICV and then removed ICV length from the remaining
|
|
payload length.
|
|
|
|
In theory, this could have resulted in the size_t left parameter being
|
|
set to a negative value that would be interpreted as a huge positive
|
|
integer. That could then result in a small buffer read overflow and
|
|
process termination if MSGDUMP debug verbosity was in use.
|
|
|
|
In practice, it does not seem to be feasible to construct a short
|
|
message that would be able to pass the ICV validation (calculated using
|
|
HMAC-SHA1-128) even for the case where an empty password is used.
|
|
Anyway, the implementation should really check the length explicitly
|
|
instead of depending on implicit check through ICV validation.
|
|
|
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
---
|
|
src/eap_peer/eap_pax.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/eap_peer/eap_pax.c b/src/eap_peer/eap_pax.c
|
|
index 6d1ff20..c920bcd 100644
|
|
--- a/src/eap_peer/eap_pax.c
|
|
+++ b/src/eap_peer/eap_pax.c
|
|
@@ -333,7 +333,7 @@ static struct wpabuf * eap_pax_process(struct eap_sm *sm, void *priv,
|
|
u16 flen, mlen;
|
|
|
|
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, reqData, &len);
|
|
- if (pos == NULL || len < EAP_PAX_ICV_LEN) {
|
|
+ if (pos == NULL || len < sizeof(*req) + EAP_PAX_ICV_LEN) {
|
|
ret->ignore = TRUE;
|
|
return NULL;
|
|
}
|
|
--
|
|
1.7.9.5
|
|
|