diff options
| author | Jouni Malinen <j@w1.fi> | 2014-06-29 15:52:09 (GMT) |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2014-07-02 09:38:47 (GMT) |
| commit | ee352f1e5a4957d06adb9a6ba560677dc6dfecb2 (patch) | |
| tree | 41c22454f518dd7ee4b206013bde64f314272a47 /src/eap_peer/eap_pwd.c | |
| parent | b2b8a4cb10639494e25f6528a95c917a30e7ea30 (diff) | |
| download | hostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.zip hostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.tar.gz hostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.tar.bz2 | |
EAP-pwd: Add explicit total length limit
Instead of using implicit limit based on 16-bit unsigned integer having
a maximum value of 65535, limit the maximum length of a fragmented
EAP-pwd message explicitly to 15000 bytes. None of the supported groups
use longer messages, so it is fine to reject any longer message without
even trying to reassemble it. This will hopefully also help in reducing
false warnings from static analyzers (CID 68124).
Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_peer/eap_pwd.c')
| -rw-r--r-- | src/eap_peer/eap_pwd.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index 2aa7ba5..fec3224 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -782,6 +782,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, tot_len = WPA_GET_BE16(pos); wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose " "total length = %d", tot_len); + if (tot_len > 15000) + return NULL; data->inbuf = wpabuf_alloc(tot_len); if (data->inbuf == NULL) { wpa_printf(MSG_INFO, "Out of memory to buffer " |