aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-04-19 21:19:02 (GMT)
committerJouni Malinen <j@w1.fi>2019-04-19 21:27:15 (GMT)
commitfa52bc8b98b81b604655b117d2d1136956e21ba5 (patch)
tree33f993b9f94a7ce8ade81395e71085214af4598a /src/eap_server
parentb3c2b5d9f7d8dc652398968ad33e00fc2fdacbf1 (diff)
downloadhostap-fa52bc8b98b81b604655b117d2d1136956e21ba5.zip
hostap-fa52bc8b98b81b604655b117d2d1136956e21ba5.tar.gz
hostap-fa52bc8b98b81b604655b117d2d1136956e21ba5.tar.bz2
EAP-PAX server: Fix message length checks for MSGDUMP level hexdump
EAP-PAX server implementation could end up reading beyond the end of the buffer if MSGDUMP level debugging was enabled and a message without the ICV field was received. Fix this by using more strict message length validation. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server')
-rw-r--r--src/eap_server/eap_server_pax.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/eap_server/eap_server_pax.c b/src/eap_server/eap_server_pax.c
index 8ef90c9..2e8c1a6 100644
--- a/src/eap_server/eap_server_pax.c
+++ b/src/eap_server/eap_server_pax.c
@@ -205,7 +205,7 @@ static Boolean eap_pax_check(struct eap_sm *sm, void *priv,
u8 icvbuf[EAP_PAX_ICV_LEN], *icv;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, respData, &len);
- if (pos == NULL || len < sizeof(*resp)) {
+ if (pos == NULL || len < sizeof(*resp) + EAP_PAX_ICV_LEN) {
wpa_printf(MSG_INFO, "EAP-PAX: Invalid frame");
return TRUE;
}