EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length validation

The req_plen argument to eap_pax_process_std_1() and
eap_pax_process_std_3() could be smaller than sizeof(struct eap_pax_hdr)
since the main processing function was only verifying that there is
enough room for the ICV and then removed ICV length from the remaining
payload length.

In theory, this could have resulted in the size_t left parameter being
set to a negative value that would be interpreted as a huge positive
integer. That could then result in a small buffer read overflow and
process termination if MSGDUMP debug verbosity was in use.

In practice, it does not seem to be feasible to construct a short
message that would be able to pass the ICV validation (calculated using
HMAC-SHA1-128) even for the case where an empty password is used.
Anyway, the implementation should really check the length explicitly
instead of depending on implicit check through ICV validation.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_pax.c b/src/eap_peer/eap_pax.c
index 6d1ff208ac7ef857c31f941fde02456566451f74..c920bcd3182f8521a3d94d7f62b5551bbc4c3f2d 100644 (file)
--- a/src/eap_peer/eap_pax.c
+++ b/src/eap_peer/eap_pax.c
@@ -333,7 +333,7 @@ static struct wpabuf * eap_pax_process(struct eap_sm *sm, void *priv,
        u16 flen, mlen;
 
        pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, reqData, &len);
-       if (pos == NULL || len < EAP_PAX_ICV_LEN) {
+       if (pos == NULL || len < sizeof(*req) + EAP_PAX_ICV_LEN) {
                ret->ignore = TRUE;
                return NULL;
        }