EAP-PAX server: Fix message length checks for MSGDUMP level hexdump

EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_server/eap_server_pax.c b/src/eap_server/eap_server_pax.c
index 8ef90c97a65a8aba7bf4fe17601db8d7584d62f4..2e8c1a60c71fe23f56b0bddaa3074b4ba50bd64e 100644 (file)
--- a/src/eap_server/eap_server_pax.c
+++ b/src/eap_server/eap_server_pax.c
@@ -205,7 +205,7 @@ static Boolean eap_pax_check(struct eap_sm *sm, void *priv,
        u8 icvbuf[EAP_PAX_ICV_LEN], *icv;
 
        pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, respData, &len);
-       if (pos == NULL || len < sizeof(*resp)) {
+       if (pos == NULL || len < sizeof(*resp) + EAP_PAX_ICV_LEN) {
                wpa_printf(MSG_INFO, "EAP-PAX: Invalid frame");
                return TRUE;
        }