aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-07-26 18:12:49 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-26 18:14:05 (GMT)
commite8c08c9a363340c45baf8e13c758c99078bc0d8b (patch)
tree6606fc73e173965cf43574f9e31b6b5e5a187c5f /src/eap_server
parent8b65fefeedd8a448d20e7951f98e9dfa9c8ec8c1 (diff)
downloadhostap-e8c08c9a363340c45baf8e13c758c99078bc0d8b.zip
hostap-e8c08c9a363340c45baf8e13c758c99078bc0d8b.tar.gz
hostap-e8c08c9a363340c45baf8e13c758c99078bc0d8b.tar.bz2
EAP-FAST server: Fix potential read-after-buffer (by one byte)
The special PAC_OPAQUE_TYPE_PAD case did not skip incrementing of the pos pointer and could result in one octet read-after-buffer when parsing the PAC-Opaque data. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server')
-rw-r--r--src/eap_server/eap_server_fast.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c
index 1024510..4691e72 100644
--- a/src/eap_server/eap_server_fast.c
+++ b/src/eap_server/eap_server_fast.c
@@ -187,7 +187,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
switch (*pos) {
case PAC_OPAQUE_TYPE_PAD:
pos = end;
- break;
+ goto done;
case PAC_OPAQUE_TYPE_KEY:
if (pos[1] != EAP_FAST_PAC_KEY_LEN) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
@@ -218,6 +218,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
pos += 2 + pos[1];
}
+done:
if (pac_key == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in "