From: Kellen Gattis Date: Fri, 23 May 2025 05:46:12 +0000 (-0700) Subject: RADIUS: Fix long extended type encoding X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96549aaa2c93f7573e30ce7dc5b4ab54e8f799ca;p=thirdparty%2Fhostap.git RADIUS: Fix long extended type encoding Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not conform to the standard for "Long Extended Type" as defined in RFC 6929. This was observed when using wpa_psk_radius=3 in conjunction with wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for 245.26.11344.2 that was 256 octets in size. The expected outcome was two fragments containing data sizes of 251 and 5 octets, but hostapd instead created a fragment of 256 octets (exceeded the size limit) followed by a fragment of 5 octets. Fix the fragments preceding the final fragment to have the correct data size by using alen instead of data_len when calling wpabuf_put_data(). Fixes: 24763e3cd0a5 ("RADIUS: Attributes with Extended Types (RFC 6929)") Signed-off-by: Kellen Gattis --- diff --git a/src/radius/radius.c b/src/radius/radius.c index 029e6223c..40c037dcc 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -807,7 +807,7 @@ struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u16 type, ext->length = sizeof(*ext) + 1 + alen; ext->ext_type = ext_type; wpabuf_put_u8(msg->buf, data_len > alen ? 0x80 : 0); - wpabuf_put_data(msg->buf, data, data_len); + wpabuf_put_data(msg->buf, data, alen); data += alen; data_len -= alen; if (radius_msg_add_attr_to_array(