path: root/src/eap_peer
diff options
authorJouni Malinen <jouni.malinen@atheros.com>2008-12-30 10:28:02 (GMT)
committerJouni Malinen <j@w1.fi>2008-12-30 10:28:02 (GMT)
commit3f732d1fc3beadb6f85750804ce821bc99e92af1 (patch)
treef184d325fde51568cee9e137ca8b631b91cfcc54 /src/eap_peer
parent805e6dc66326764b3d20c5113fb538b2be6aa662 (diff)
Fix TLS message processing if Flags field is not present
Previous version assumed that the Flags field is always present and ended up reading one octet past the end of the buffer should the Flags field be missing. The message length would also be set incorrectly (size_t)-1 or (size_t)-5, but it looks like reassembly code ended up failing in malloc before actually using this huge length to read data. RFC 2716 uses a somewhat unclear description on what exactly is included in the TLS Ack message ("no data" can refer to either Data field in 4.1 or TLS Data field in 4.2), so in theory, it would be possible for some implementations to not include Flags field. However, EAP-{PEAP,TTLS,FAST} need the Flags field in Ack messages, too, for indicating the used version. The EAP peer code will now accept the no-Flags case as an Ack message if EAP workarounds are enabled (which is the default behavior). If workarounds are disabled, the message without Flags field will be rejected. [Bug 292]
Diffstat (limited to 'src/eap_peer')
1 files changed, 15 insertions, 2 deletions
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 5db8bf6..839ceb6 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -749,8 +749,21 @@ const u8 * eap_peer_tls_process_init(struct eap_sm *sm,
ret->ignore = TRUE;
return NULL;
- *flags = *pos++;
- left--;
+ if (left == 0) {
+ wpa_printf(MSG_DEBUG, "SSL: Invalid TLS message: no Flags "
+ "octet included");
+ if (!sm->workaround) {
+ ret->ignore = TRUE;
+ return NULL;
+ }
+ wpa_printf(MSG_DEBUG, "SSL: Workaround - assume no Flags "
+ "indicates ACK frame");
+ *flags = 0;
+ } else {
+ *flags = *pos++;
+ left--;
+ }
wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) wpabuf_len(reqData),