From: Jouni Malinen <j@w1.fi>
Date: Fri, 19 Apr 2019 21:19:02 +0000 (+0300)
Subject: EAP-PAX server: Fix message length checks for MSGDUMP level hexdump
X-Git-Tag: hostap_2_8~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa52bc8b98b81b604655b117d2d1136956e21ba5;p=thirdparty%2Fhostap.git

EAP-PAX server: Fix message length checks for MSGDUMP level hexdump

EAP-PAX server implementation could end up reading beyond the end of the
buffer if MSGDUMP level debugging was enabled and a message without the
ICV field was received. Fix this by using more strict message length
validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/eap_server/eap_server_pax.c b/src/eap_server/eap_server_pax.c
index 8ef90c97a..2e8c1a60c 100644
--- a/src/eap_server/eap_server_pax.c
+++ b/src/eap_server/eap_server_pax.c
@@ -205,7 +205,7 @@ static Boolean eap_pax_check(struct eap_sm *sm, void *priv,
 	u8 icvbuf[EAP_PAX_ICV_LEN], *icv;
 
 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, respData, &len);
-	if (pos == NULL || len < sizeof(*resp)) {
+	if (pos == NULL || len < sizeof(*resp) + EAP_PAX_ICV_LEN) {
 		wpa_printf(MSG_INFO, "EAP-PAX: Invalid frame");
 		return TRUE;
 	}