EAP-PAX server: Fix message length checks for MSGDUMP level hexdump

EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-04-20 00:19:02 +03:00
parent b3c2b5d9f7
commit fa52bc8b98

View file

@ -205,7 +205,7 @@ static Boolean eap_pax_check(struct eap_sm *sm, void *priv,
u8 icvbuf[EAP_PAX_ICV_LEN], *icv; u8 icvbuf[EAP_PAX_ICV_LEN], *icv;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, respData, &len); pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, respData, &len);
if (pos == NULL || len < sizeof(*resp)) { if (pos == NULL || len < sizeof(*resp) + EAP_PAX_ICV_LEN) {
wpa_printf(MSG_INFO, "EAP-PAX: Invalid frame"); wpa_printf(MSG_INFO, "EAP-PAX: Invalid frame");
return TRUE; return TRUE;
} }