WPS: Add explicit message length limit of 50000 bytes

author Jouni Malinen <j@w1.fi>

Sun, 23 Nov 2014 18:57:34 +0000 (20:57 +0200)

committer Jouni Malinen <j@w1.fi>

Sun, 23 Nov 2014 19:03:40 +0000 (21:03 +0200)
author Jouni Malinen <j@w1.fi>
Sun, 23 Nov 2014 18:57:34 +0000 (20:57 +0200)
committer Jouni Malinen <j@w1.fi>
Sun, 23 Nov 2014 19:03:40 +0000 (21:03 +0200)
diff --git a/src/eap_peer/eap_wsc.c b/src/eap_peer/eap_wsc.c

index 23e98237274597ac39154c160e59e50fdc9ed99f..7ce0a53d0b299a54f4a99d726c4970b0348914c1 100644 (file)
--- a/src/eap_peer/eap_wsc.c
+++ b/src/eap_peer/eap_wsc.c
@@ -462,7 +462,7 @@ static struct wpabuf * eap_wsc_process(struct eap_sm *sm, void *priv,
                 message_length = WPA_GET_BE16(pos);
                 pos += 2;
  
-               if (message_length < end - pos) {
+               if (message_length < end - pos || message_length > 50000) {
                         wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message "
                                    "Length");
                         ret->ignore = TRUE;
diff --git a/src/eap_server/eap_server_wsc.c b/src/eap_server/eap_server_wsc.c

index 97ec0c0eaa99b00b56cfba7be8ddf9c13bd8a923..9d9c28d704c10965ca7733242b40693abe3e8453 100644 (file)
--- a/src/eap_server/eap_server_wsc.c
+++ b/src/eap_server/eap_server_wsc.c
@@ -380,7 +380,7 @@ static void eap_wsc_process(struct eap_sm *sm, void *priv,
                 message_length = WPA_GET_BE16(pos);
                 pos += 2;
  
-               if (message_length < end - pos) {
+               if (message_length < end - pos || message_length > 50000) {
                         wpa_printf(MSG_DEBUG, "EAP-WSC: Invalid Message "
                                    "Length");
                         return;
author	Jouni Malinen <j@w1.fi>
	Sun, 23 Nov 2014 18:57:34 +0000 (20:57 +0200)
committer	Jouni Malinen <j@w1.fi>
	Sun, 23 Nov 2014 19:03:40 +0000 (21:03 +0200)
src/eap_peer/eap_wsc.c		patch \| blob \| blame \| history
src/eap_server/eap_server_wsc.c		patch \| blob \| blame \| history