aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_common
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2008-12-04 16:51:42 (GMT)
committerJouni Malinen <j@w1.fi>2008-12-04 16:51:42 (GMT)
commitb8ab62498412836cfc55b9a72f06f3d3b48767f3 (patch)
tree3849c5b2a33ca18bb7db11c0e5064e8ff6659dd0 /src/eap_common
parentbb9f45e0bbd41b644970fde94f70a5ec6ed3c5e0 (diff)
downloadhostap-b8ab62498412836cfc55b9a72f06f3d3b48767f3.zip
hostap-b8ab62498412836cfc55b9a72f06f3d3b48767f3.tar.gz
hostap-b8ab62498412836cfc55b9a72f06f3d3b48767f3.tar.bz2
Fixed EAP-SIM and EAP-AKA AT_IDENTITY parsing (server only)
The attribute uses 'Actual Identity Length' field to indicate the exact (pre-padding) length of the Identity. This actual length should be used as the length, not the remaining attribute length. This was previously worked around by stripping null termination away from the end of the identity string at EAP-SIM and EAP-AKA server code. However, it is likely that that workaround is not really needed and the real problem was in AT_IDENTITY parsing. Anyway, the workaround is left in just in case it was really needed with some implementations.
Diffstat (limited to 'src/eap_common')
-rw-r--r--src/eap_common/eap_sim_common.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c
index e33fe3e..58253f9 100644
--- a/src/eap_common/eap_sim_common.c
+++ b/src/eap_common/eap_sim_common.c
@@ -554,8 +554,20 @@ int eap_sim_parse_attr(const u8 *start, const u8 *end,
break;
case EAP_SIM_AT_IDENTITY:
wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IDENTITY");
- attr->identity = apos + 2;
- attr->identity_len = alen - 2;
+ plen = WPA_GET_BE16(apos);
+ apos += 2;
+ alen -= 2;
+ if (plen > alen) {
+ wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
+ "AT_IDENTITY (Actual Length %lu, "
+ "remaining length %lu)",
+ (unsigned long) plen,
+ (unsigned long) alen);
+ return -1;
+ }
+
+ attr->identity = apos;
+ attr->identity_len = plen;
break;
case EAP_SIM_AT_VERSION_LIST:
if (aka) {