]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f41f670)
EAP-IKEv2: Add explicit limit for maximum message length
authorJouni Malinen <j@w1.fi>
Sat, 20 Dec 2014 22:25:16 +0000 (00:25 +0200)
committerJouni Malinen <j@w1.fi>
Sat, 20 Dec 2014 22:25:16 +0000 (00:25 +0200)
This avoids accepting unnecessarily large memory allocations.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/eap_peer/eap_ikev2.c patch | blob | blame | history
src/eap_server/eap_server_ikev2.c patch | blob | blame | history

diff --git a/src/eap_peer/eap_ikev2.c b/src/eap_peer/eap_ikev2.c
index c12b51933e8b4aa1869625af8d1d8a8605edf5f6..cbdf931c4ebe1b4cb02a4cab1d8fcaad6e14013f 100644 (file)
--- a/src/eap_peer/eap_ikev2.c
+++ b/src/eap_peer/eap_ikev2.c
@@ -301,6 +301,13 @@ static struct wpabuf * eap_ikev2_process_fragment(struct eap_ikev2_data *data,
 
        if (data->in_buf == NULL) {
                /* First fragment of the message */
+               if (message_length > 50000) {
+                       /* Limit maximum memory allocation */
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-IKEV2: Ignore too long message");
+                       ret->ignore = TRUE;
+                       return NULL;
+               }
                data->in_buf = wpabuf_alloc(message_length);
                if (data->in_buf == NULL) {
                        wpa_printf(MSG_DEBUG, "EAP-IKEV2: No memory for "
diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c
index 804f78540465af1ec49d0940635c6bea53eb1c91..16e62764cc55a11a9132ff68cccaf17572bf86b2 100644 (file)
--- a/src/eap_server/eap_server_ikev2.c
+++ b/src/eap_server/eap_server_ikev2.c
@@ -309,6 +309,12 @@ static int eap_ikev2_process_fragment(struct eap_ikev2_data *data,
 
        if (data->in_buf == NULL) {
                /* First fragment of the message */
+               if (message_length > 50000) {
+                       /* Limit maximum memory allocation */
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-IKEV2: Ignore too long message");
+                       return -1;
+               }
                data->in_buf = wpabuf_alloc(message_length);
                if (data->in_buf == NULL) {
                        wpa_printf(MSG_DEBUG, "EAP-IKEV2: No memory for "
Unnamed repository; edit this file 'description' to name the repository.