EAP-PAX server: Fix message length checks for MSGDUMP level hexdump
EAP-PAX server implementation could end up reading beyond the end of the buffer if MSGDUMP level debugging was enabled and a message without the ICV field was received. Fix this by using more strict message length validation. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
b3c2b5d9f7
commit
fa52bc8b98
1 changed files with 1 additions and 1 deletions
|
@ -205,7 +205,7 @@ static Boolean eap_pax_check(struct eap_sm *sm, void *priv,
|
|||
u8 icvbuf[EAP_PAX_ICV_LEN], *icv;
|
||||
|
||||
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, respData, &len);
|
||||
if (pos == NULL || len < sizeof(*resp)) {
|
||||
if (pos == NULL || len < sizeof(*resp) + EAP_PAX_ICV_LEN) {
|
||||
wpa_printf(MSG_INFO, "EAP-PAX: Invalid frame");
|
||||
return TRUE;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue