From 96549aaa2c93f7573e30ce7dc5b4ab54e8f799ca Mon Sep 17 00:00:00 2001 From: Kellen Gattis Date: Thu, 22 May 2025 22:46:12 -0700 Subject: [PATCH] RADIUS: Fix long extended type encoding Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not conform to the standard for "Long Extended Type" as defined in RFC 6929. This was observed when using wpa_psk_radius=3 in conjunction with wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for 245.26.11344.2 that was 256 octets in size. The expected outcome was two fragments containing data sizes of 251 and 5 octets, but hostapd instead created a fragment of 256 octets (exceeded the size limit) followed by a fragment of 5 octets. Fix the fragments preceding the final fragment to have the correct data size by using alen instead of data_len when calling wpabuf_put_data(). Fixes: 24763e3cd0a5 ("RADIUS: Attributes with Extended Types (RFC 6929)") Signed-off-by: Kellen Gattis --- src/radius/radius.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/radius/radius.c b/src/radius/radius.c index 029e6223c..40c037dcc 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -807,7 +807,7 @@ struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u16 type, ext->length = sizeof(*ext) + 1 + alen; ext->ext_type = ext_type; wpabuf_put_u8(msg->buf, data_len > alen ? 0x80 : 0); - wpabuf_put_data(msg->buf, data, data_len); + wpabuf_put_data(msg->buf, data, alen); data += alen; data_len -= alen; if (radius_msg_add_attr_to_array( -- 2.47.2