EAP-pwd: Add explicit total length limit

Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a fragmented EAP-pwd message explicitly to 15000 bytes. None of the supported groups use longer messages, so it is fine to reject any longer message without even trying to reassemble it. This will hopefully also help in reducing false warnings from static analyzers (CID 68124). Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 18:52:09 +03:00 · 2014-06-29 18:52:09 +03:00 · ee352f1e5a
parent b2b8a4cb10
commit ee352f1e5a
2 changed files with 4 additions and 0 deletions
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@ -782,6 +782,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
 		tot_len = WPA_GET_BE16(pos);
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
 			   "total length = %d", tot_len);
+		if (tot_len > 15000)
+			return NULL;
 		data->inbuf = wpabuf_alloc(tot_len);
 		if (data->inbuf == NULL) {
 			wpa_printf(MSG_INFO, "Out of memory to buffer "
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@ -900,6 +900,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
 		tot_len = WPA_GET_BE16(pos);
 		wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
 			   "length = %d", tot_len);
+		if (tot_len > 15000)
+			return;
 		data->inbuf = wpabuf_alloc(tot_len);
 		if (data->inbuf == NULL) {
 			wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "