aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_peer/eap_pwd.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-06-29 15:52:09 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-02 09:38:47 (GMT)
commitee352f1e5a4957d06adb9a6ba560677dc6dfecb2 (patch)
tree41c22454f518dd7ee4b206013bde64f314272a47 /src/eap_peer/eap_pwd.c
parentb2b8a4cb10639494e25f6528a95c917a30e7ea30 (diff)
downloadhostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.zip
hostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.tar.gz
hostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.tar.bz2
EAP-pwd: Add explicit total length limit
Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a fragmented EAP-pwd message explicitly to 15000 bytes. None of the supported groups use longer messages, so it is fine to reject any longer message without even trying to reassemble it. This will hopefully also help in reducing false warnings from static analyzers (CID 68124). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_peer/eap_pwd.c')
-rw-r--r--src/eap_peer/eap_pwd.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 2aa7ba5..fec3224 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -782,6 +782,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
tot_len = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
"total length = %d", tot_len);
+ if (tot_len > 15000)
+ return NULL;
data->inbuf = wpabuf_alloc(tot_len);
if (data->inbuf == NULL) {
wpa_printf(MSG_INFO, "Out of memory to buffer "