RADIUS: Fix long extended type encoding

Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not
conform to the standard for "Long Extended Type" as defined in RFC 6929.

This was observed when using wpa_psk_radius=3 in conjunction with
wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for
245.26.11344.2 that was 256 octets in size. The expected outcome was two
fragments containing data sizes of 251 and 5 octets, but hostapd instead
created a fragment of 256 octets (exceeded the size limit) followed by a
fragment of 5 octets.

Fix the fragments preceding the final fragment to have the correct data
size by using alen instead of data_len when calling wpabuf_put_data().

Fixes: 24763e3cd0a5 ("RADIUS: Attributes with Extended Types (RFC 6929)")
Signed-off-by: Kellen Gattis <k3113n6@gmail.com>

diff --git a/src/radius/radius.c b/src/radius/radius.c
index 029e6223ce1496d123ea920de123819c0e19b0de..40c037dcc0ad9c626c932368449d246e4de4f2b8 100644 (file)
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -807,7 +807,7 @@ struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u16 type,
                        ext->length = sizeof(*ext) + 1 + alen;
                        ext->ext_type = ext_type;
                        wpabuf_put_u8(msg->buf, data_len > alen ? 0x80 : 0);
-                       wpabuf_put_data(msg->buf, data, data_len);
+                       wpabuf_put_data(msg->buf, data, alen);
                        data += alen;
                        data_len -= alen;
                        if (radius_msg_add_attr_to_array(