diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch new file mode 100644 index 0000000000..a4c02b4745 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
4 | |||
5 | From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 | ||
6 | From: Jouni Malinen <j@w1.fi> | ||
7 | Date: Sat, 2 May 2015 19:26:06 +0300 | ||
8 | Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment | ||
9 | reassembly | ||
10 | |||
11 | The remaining number of bytes in the message could be smaller than the | ||
12 | Total-Length field size, so the length needs to be explicitly checked | ||
13 | prior to reading the field and decrementing the len variable. This could | ||
14 | have resulted in the remaining length becoming negative and interpreted | ||
15 | as a huge positive integer. | ||
16 | |||
17 | In addition, check that there is no already started fragment in progress | ||
18 | before allocating a new buffer for reassembling fragments. This avoid a | ||
19 | potential memory leak when processing invalid message. | ||
20 | |||
21 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
22 | --- | ||
23 | src/eap_server/eap_server_pwd.c | 10 ++++++++++ | ||
24 | 1 file changed, 10 insertions(+) | ||
25 | |||
26 | diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c | ||
27 | index 3189105..2bfc3c2 100644 | ||
28 | --- a/src/eap_server/eap_server_pwd.c | ||
29 | +++ b/src/eap_server/eap_server_pwd.c | ||
30 | @@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, | ||
31 | * the first fragment has a total length | ||
32 | */ | ||
33 | if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { | ||
34 | + if (len < 2) { | ||
35 | + wpa_printf(MSG_DEBUG, | ||
36 | + "EAP-pwd: Frame too short to contain Total-Length field"); | ||
37 | + return; | ||
38 | + } | ||
39 | tot_len = WPA_GET_BE16(pos); | ||
40 | wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " | ||
41 | "length = %d", tot_len); | ||
42 | if (tot_len > 15000) | ||
43 | return; | ||
44 | + if (data->inbuf) { | ||
45 | + wpa_printf(MSG_DEBUG, | ||
46 | + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); | ||
47 | + return; | ||
48 | + } | ||
49 | data->inbuf = wpabuf_alloc(tot_len); | ||
50 | if (data->inbuf == NULL) { | ||
51 | wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " | ||
52 | -- | ||
53 | 1.9.1 | ||
54 | |||