EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer. In addition, check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
e28a58be26
commit
477c74395a
1 changed files with 12 additions and 0 deletions
|
@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
|
||||||
* if it's the first fragment there'll be a length field
|
* if it's the first fragment there'll be a length field
|
||||||
*/
|
*/
|
||||||
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
|
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
|
||||||
|
if (len < 2) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"EAP-pwd: Frame too short to contain Total-Length field");
|
||||||
|
ret->ignore = TRUE;
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
tot_len = WPA_GET_BE16(pos);
|
tot_len = WPA_GET_BE16(pos);
|
||||||
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
|
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
|
||||||
"total length = %d", tot_len);
|
"total length = %d", tot_len);
|
||||||
if (tot_len > 15000)
|
if (tot_len > 15000)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
if (data->inbuf) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
|
||||||
|
ret->ignore = TRUE;
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
data->inbuf = wpabuf_alloc(tot_len);
|
data->inbuf = wpabuf_alloc(tot_len);
|
||||||
if (data->inbuf == NULL) {
|
if (data->inbuf == NULL) {
|
||||||
wpa_printf(MSG_INFO, "Out of memory to buffer "
|
wpa_printf(MSG_INFO, "Out of memory to buffer "
|
||||||
|
|
Loading…
Reference in a new issue