pool/wpa_supplicant
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
wpa_supplicant/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
Ismail Dönmez 81f0769d04 Accepting request 305848 from home:oertel:branches:hardware 
- added patch for bnc#930077
  0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
- added patch for bnc#930078
  0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
- added patches for bnc#930079
  0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
  0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
  0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
  0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
  0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch

OBS-URL: https://build.opensuse.org/request/show/305848
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=56
2015-05-08 08:51:41 +00:00

53 lines
1.8 KiB
Diff
Raw Blame History

From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 2 May 2015 19:23:04 +0300
Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index a629437..1d2079b 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
* if it's the first fragment there'll be a length field
*/
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+ if (len < 2) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Frame too short to contain Total-Length field");
+ ret->ignore = TRUE;
+ return NULL;
+ }
tot_len = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
"total length = %d", tot_len);
if (tot_len > 15000)
return NULL;
+ if (data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+ ret->ignore = TRUE;
+ return NULL;
+ }
data->inbuf = wpabuf_alloc(tot_len);
if (data->inbuf == NULL) {
wpa_printf(MSG_INFO, "Out of memory to buffer "
--
1.9.1
Reference in New Issue View Git Blame Copy Permalink