EAP-PEAP server: Fix Phase 2 TLV length in error case

The payload length in a Phase 2 TLV message reporting error was not set
correctly. Fix this to not include the TLVs that are included only in
success case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
index 98d608bfae2f5ce7bec41713795bc01080406f39..faa0fd2f238789614dd7b949a38cfb06a436979e 100644 (file)
--- a/src/eap_server/eap_server_peap.c
+++ b/src/eap_server/eap_server_peap.c
@@ -344,12 +344,14 @@ static struct wpabuf * eap_peap_build_phase2_tlv(struct eap_sm *sm,
        size_t mlen;
 
        mlen = 6; /* Result TLV */
-       if (data->crypto_binding != NO_BINDING)
+       if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
+           data->crypto_binding != NO_BINDING) {
                mlen += 60; /* Cryptobinding TLV */
 #ifdef EAP_SERVER_TNC
-       if (data->soh_response)
-               mlen += wpabuf_len(data->soh_response);
+               if (data->soh_response)
+                       mlen += wpabuf_len(data->soh_response);
 #endif /* EAP_SERVER_TNC */
+       }
 
        buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, mlen,
                            EAP_CODE_REQUEST, id);