EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)

Since there is a limit on the EAP exchange due to maximum number of
roundtrips, there is no point in allowing excessively large buffers to
be allocated based on what the peer device claims the total message to
be. Instead, reject the message if it would not be possible to receive
it in full anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_tnc.c b/src/eap_peer/eap_tnc.c
index bc136470b334c2dc3a08a6db15108a1e795ef872..25b9f124801a1cce1c0043c869a022f2f1287d13 100644 (file)
--- a/src/eap_peer/eap_tnc.c
+++ b/src/eap_peer/eap_tnc.c
@@ -243,7 +243,8 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
                message_length = WPA_GET_BE32(pos);
                pos += 4;
 
-               if (message_length < (u32) (end - pos)) {
+               if (message_length < (u32) (end - pos) ||
+                   message_length > 75000) {
                        wpa_printf(MSG_DEBUG, "EAP-TNC: Invalid Message "
                                   "Length (%d; %ld remaining in this msg)",
                                   message_length, (long) (end - pos));

diff --git a/src/eap_server/eap_server_tnc.c b/src/eap_server/eap_server_tnc.c
index 67a3dfa30611915723355f8fae21f76ce0e962b0..21bd26f8296ef4f08316768c00c11404e1ed4a5c 100644 (file)
--- a/src/eap_server/eap_server_tnc.c
+++ b/src/eap_server/eap_server_tnc.c
@@ -480,7 +480,8 @@ static void eap_tnc_process(struct eap_sm *sm, void *priv,
                message_length = WPA_GET_BE32(pos);
                pos += 4;
 
-               if (message_length < (u32) (end - pos)) {
+               if (message_length < (u32) (end - pos) ||
+                   message_length > 75000) {
                        wpa_printf(MSG_DEBUG, "EAP-TNC: Invalid Message "
                                   "Length (%d; %ld remaining in this msg)",
                                   message_length, (long) (end - pos));