From: Jouni Malinen Date: Sat, 2 May 2015 16:26:06 +0000 (+0300) Subject: EAP-pwd server: Fix Total-Length parsing for fragment reassembly X-Git-Tag: hostap_2_5~745 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3035cc2894e08319b905bd6561e8bddc8c2db9fa;p=thirdparty%2Fhostap.git EAP-pwd server: Fix Total-Length parsing for fragment reassembly The remaining number of bytes in the message could be smaller than the Total-Length field size, so the length needs to be explicitly checked prior to reading the field and decrementing the len variable. This could have resulted in the remaining length becoming negative and interpreted as a huge positive integer. In addition, check that there is no already started fragment in progress before allocating a new buffer for reassembling fragments. This avoid a potential memory leak when processing invalid message. Signed-off-by: Jouni Malinen --- diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c index 318910540..2bfc3c276 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c @@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, * the first fragment has a total length */ if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { + if (len < 2) { + wpa_printf(MSG_DEBUG, + "EAP-pwd: Frame too short to contain Total-Length field"); + return; + } tot_len = WPA_GET_BE16(pos); wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " "length = %d", tot_len); if (tot_len > 15000) return; + if (data->inbuf) { + wpa_printf(MSG_DEBUG, + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); + return; + } data->inbuf = wpabuf_alloc(tot_len); if (data->inbuf == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "