From fa52bc8b98b81b604655b117d2d1136956e21ba5 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 20 Apr 2019 00:19:02 +0300
Subject: [PATCH] EAP-PAX server: Fix message length checks for MSGDUMP level
 hexdump

EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/eap_server/eap_server_pax.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/eap_server/eap_server_pax.c b/src/eap_server/eap_server_pax.c
index 8ef90c97a..2e8c1a60c 100644
--- a/src/eap_server/eap_server_pax.c
+++ b/src/eap_server/eap_server_pax.c
@@ -205,7 +205,7 @@ static Boolean eap_pax_check(struct eap_sm *sm, void *priv,
 	u8 icvbuf[EAP_PAX_ICV_LEN], *icv;
 
 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, respData, &len);
-	if (pos == NULL || len < sizeof(*resp)) {
+	if (pos == NULL || len < sizeof(*resp) + EAP_PAX_ICV_LEN) {
 		wpa_printf(MSG_INFO, "EAP-PAX: Invalid frame");
 		return TRUE;
 	}