aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-06-13 13:03:45 (GMT)
committerJouni Malinen <j@w1.fi>2014-06-13 13:03:45 (GMT)
commit6590b6400f73762fc6a53ad6ca05a73246cc5e54 (patch)
tree473593cb64357fe84d21910529b272c3397d9131
parente862968d18237a97892c836cbe894be2fea7cc6e (diff)
downloadhostap-6590b6400f73762fc6a53ad6ca05a73246cc5e54.zip
hostap-6590b6400f73762fc6a53ad6ca05a73246cc5e54.tar.gz
hostap-6590b6400f73762fc6a53ad6ca05a73246cc5e54.tar.bz2
EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
Since there is a limit on the EAP exchange due to maximum number of roundtrips, there is no point in allowing excessively large buffers to be allocated based on what the peer device claims the total message to be. Instead, reject the message if it would not be possible to receive it in full anyway. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/eap_peer/eap_tnc.c3
-rw-r--r--src/eap_server/eap_server_tnc.c3
2 files changed, 4 insertions, 2 deletions
diff --git a/src/eap_peer/eap_tnc.c b/src/eap_peer/eap_tnc.c
index bc13647..25b9f12 100644
--- a/src/eap_peer/eap_tnc.c
+++ b/src/eap_peer/eap_tnc.c
@@ -243,7 +243,8 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
message_length = WPA_GET_BE32(pos);
pos += 4;
- if (message_length < (u32) (end - pos)) {
+ if (message_length < (u32) (end - pos) ||
+ message_length > 75000) {
wpa_printf(MSG_DEBUG, "EAP-TNC: Invalid Message "
"Length (%d; %ld remaining in this msg)",
message_length, (long) (end - pos));
diff --git a/src/eap_server/eap_server_tnc.c b/src/eap_server/eap_server_tnc.c
index 67a3dfa..21bd26f 100644
--- a/src/eap_server/eap_server_tnc.c
+++ b/src/eap_server/eap_server_tnc.c
@@ -480,7 +480,8 @@ static void eap_tnc_process(struct eap_sm *sm, void *priv,
message_length = WPA_GET_BE32(pos);
pos += 4;
- if (message_length < (u32) (end - pos)) {
+ if (message_length < (u32) (end - pos) ||
+ message_length > 75000) {
wpa_printf(MSG_DEBUG, "EAP-TNC: Invalid Message "
"Length (%d; %ld remaining in this msg)",
message_length, (long) (end - pos));