aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-06-29 15:52:09 (GMT)
committerJouni Malinen <j@w1.fi>2014-07-02 09:38:47 (GMT)
commitee352f1e5a4957d06adb9a6ba560677dc6dfecb2 (patch)
tree41c22454f518dd7ee4b206013bde64f314272a47 /src/eap_server
parentb2b8a4cb10639494e25f6528a95c917a30e7ea30 (diff)
downloadhostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.zip
hostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.tar.gz
hostap-ee352f1e5a4957d06adb9a6ba560677dc6dfecb2.tar.bz2
EAP-pwd: Add explicit total length limit
Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a fragmented EAP-pwd message explicitly to 15000 bytes. None of the supported groups use longer messages, so it is fine to reject any longer message without even trying to reassemble it. This will hopefully also help in reducing false warnings from static analyzers (CID 68124). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server')
-rw-r--r--src/eap_server/eap_server_pwd.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index ec53481..846ac1f 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -900,6 +900,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
tot_len = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
"length = %d", tot_len);
+ if (tot_len > 15000)
+ return;
data->inbuf = wpabuf_alloc(tot_len);
if (data->inbuf == NULL) {
wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "