Fix memory allocation failure handling in EAP-TTLS/MSCHAPv2 server

If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1

diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index 45fbf52d610a1b9657df76ec414b2b53efd2427f..647bd2fad938f4f48669517f8a50a0c858a98c14 100644 (file)
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -674,6 +674,13 @@ static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
                return;
        }
 
+       if (sm->identity == NULL) {
+               wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
+                          "known");
+               eap_ttls_state(data, FAILURE);
+               return;
+       }
+
        /* MSCHAPv2 does not include optional domain name in the
         * challenge-response calculation, so remove domain prefix
         * (if present). */
@@ -979,11 +986,12 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
        if (parse.user_name) {
                os_free(sm->identity);
                sm->identity = os_malloc(parse.user_name_len);
-               if (sm->identity) {
-                       os_memcpy(sm->identity, parse.user_name,
-                                 parse.user_name_len);
-                       sm->identity_len = parse.user_name_len;
+               if (sm->identity == NULL) {
+                       eap_ttls_state(data, FAILURE);
+                       goto done;
                }
+               os_memcpy(sm->identity, parse.user_name, parse.user_name_len);
+               sm->identity_len = parse.user_name_len;
                if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
                    != 0) {
                        wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "