EAP-FAST server: Fix potential read-after-buffer (by one byte)

The special PAC_OPAQUE_TYPE_PAD case did not skip incrementing of the
pos pointer and could result in one octet read-after-buffer when parsing
the PAC-Opaque data.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c
index 102451014e4e78addd31d14ad21e65f3a04e063c..4691e722887a332dc3baabb76c2b584521cb7448 100644 (file)
--- a/src/eap_server/eap_server_fast.c
+++ b/src/eap_server/eap_server_fast.c
@@ -187,7 +187,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
                switch (*pos) {
                case PAC_OPAQUE_TYPE_PAD:
                        pos = end;
-                       break;
+                       goto done;
                case PAC_OPAQUE_TYPE_KEY:
                        if (pos[1] != EAP_FAST_PAC_KEY_LEN) {
                                wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
@@ -218,6 +218,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
 
                pos += 2 + pos[1];
        }
+done:
 
        if (pac_key == NULL) {
                wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in "