buildroot
Public
Source
committed 7aed4faa9b0xxxxxxxxxxFrom 567bacefd73782508bfe72d3624df495f0df4cd1 Mon Sep 17 00:00:00 2001From: Jouni Malinen <j@w1.fi>Date: Sun, 7 Oct 2012 20:06:29 +0300Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validationEAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLSMessage Length value properly and could end up trying to store moreinformation into the message buffer than the allocated size if the firstfragment is longer than the indicated size. This could result in hostapdprocess terminating in wpabuf length validation. Fix this by rejectingmessages that have invalid TLS Message Length value.This would affect cases that use the internal EAP authentication serverin hostapd either directly with IEEE 802.1X or when using hostapd as aRADIUS authentication server and when receiving an incorrectlyconstructed EAP-TLS message. Cases where hostapd uses an externalauthentication are not affected.Thanks to Timo Warns for finding and reporting this issue.Signed-hostap: Jouni Malinen <j@w1.fi>intended-for: hostap-1(cherry picked from commit 586c446e0ff42ae00315b014924ec669023bd8de)--- src/eap_server/eap_server_tls_common.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-)diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.cindex e149ee3..2cbe700 100644--- a/src/eap_server/eap_server_tls_common.c+++ b/src/eap_server/eap_server_tls_common.c@@ -224,6 +224,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data, return -1; }+ if (len > message_length) {+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "+ "first fragment of frame (TLS Message "+ "Length %d bytes)",+ (int) len, (int) message_length);+ return -1;+ }+ data->tls_in = wpabuf_alloc(message_length); if (data->tls_in == NULL) { wpa_printf(MSG_DEBUG, "SSL: No memory for message");-- 1.7.4-rc1