EAP-TLS: Add extra validation for TLS Message Length

While the existing code already addresses TLS Message Length validation
for both EAP-TLS peer and server side, this adds explicit checks and
rejection of invalid messages in the functions handling reassembly. This
does not change externally observable behavior in case of EAP server.
For EAP peer, this starts rejecting invalid messages instead of
addressing them by reallocating the buffer (i.e., ignoring TLS Message
Length in practice).

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 7eefe8c93558867e7bf8adeb8e9dd4052c7bbddb..aedd85a79e853b9db5677af5cf4a1d989428e1bb 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -829,6 +829,14 @@ const u8 * eap_peer_tls_process_init(struct eap_sm *sm,
                }
                pos += 4;
                left -= 4;
+
+               if (left > tls_msg_len) {
+                       wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d "
+                                  "bytes) smaller than this fragment (%d "
+                                  "bytes)", (int) tls_msg_len, (int) left);
+                       ret->ignore = TRUE;
+                       return NULL;
+               }
        }
 
        ret->ignore = FALSE;

diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 46f282bd9da8f003910866ce19d514e3f069811e..9efb5b2938538b13c037c3ecd9a979ba4fd8284c 100644 (file)
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -297,6 +297,13 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
                           tls_msg_len);
                *pos += 4;
                *left -= 4;
+
+               if (*left > tls_msg_len) {
+                       wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d "
+                                  "bytes) smaller than this fragment (%d "
+                                  "bytes)", (int) tls_msg_len, (int) *left);
+                       return -1;
+               }
        }
 
        wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x "