Properly parse identity in EAP-SIM module

The encoding is given in RFC 4186, section 10.8.

diff --git a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c
index 33262a13c370e80dfd3820b42838cfd4b655376e..8e79b6644defbbbbfff602206108b3b6d3da9fd2 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c
+++ b/src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c
@@ -245,13 +245,21 @@ static int eap_sim_sendchallenge(EAP_HANDLER *handler)
        pairreplace(outvps, newvp);
 
        /* make a copy of the identity */
+       ess->keys.identitylen = strlen(handler->identity);
+       memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
+
+       /* use the SIM identity, if available */
        newvp = pairfind(*invps, ATTRIBUTE_EAP_SIM_BASE + PW_EAP_SIM_IDENTITY, 0);
-       if (newvp) {
-               ess->keys.identitylen = newvp->length;
-               memcpy(ess->keys.identity, newvp->vp_octets, newvp->length);
-       } else {
-               ess->keys.identitylen = strlen(handler->identity);
-               memcpy(ess->keys.identity, handler->identity, ess->keys.identitylen);
+       if (newvp && newvp->length > 2) {
+               uint16_t len;
+
+               memcpy(&len, newvp->vp_octets, sizeof(uint16_t));
+               len = ntohs(len);
+               if (len <= newvp->length - 2 && len <= MAX_STRING_LEN) {
+                       ess->keys.identitylen = len;
+                       memcpy(ess->keys.identity, newvp->vp_octets + 2,
+                              ess->keys.identitylen);
+               }
        }
 
        /* all set, calculate keys! */