aboutsummaryrefslogtreecommitdiffstats
path: root/src/eapol_supp
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2012-08-07 18:59:15 (GMT)
committerJouni Malinen <j@w1.fi>2012-08-07 18:59:15 (GMT)
commitbf0d9ae40f94836e9c215dc706c6b359dd2dc5f5 (patch)
treeb0eb95095cf0c08991f57c39781a138ac895fa5d /src/eapol_supp
parent70a26e708c656137a2291e9286445fc80224bfc2 (diff)
downloadhostap-bf0d9ae40f94836e9c215dc706c6b359dd2dc5f5.zip
hostap-bf0d9ae40f94836e9c215dc706c6b359dd2dc5f5.tar.gz
hostap-bf0d9ae40f94836e9c215dc706c6b359dd2dc5f5.tar.bz2
Add explicit EAPOL-Key length validation in processKey()
These checks would not really be needed since eapol_sm_rx_eapol() validates the length fields. Anyway, these makes it more obvious to anyone reviewing the code that there are no integer underflow issues in processKey(). Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eapol_supp')
-rw-r--r--src/eapol_supp/eapol_supp_sm.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
index 88398b3..280d1b0 100644
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@@ -631,6 +631,7 @@ static void eapol_sm_processKey(struct eapol_sm *sm)
u8 ekey[IEEE8021X_KEY_IV_LEN + IEEE8021X_ENCR_KEY_LEN];
int key_len, res, sign_key_len, encr_key_len;
u16 rx_key_length;
+ size_t plen;
wpa_printf(MSG_DEBUG, "EAPOL: processKey");
if (sm->last_rx_key == NULL)
@@ -643,9 +644,12 @@ static void eapol_sm_processKey(struct eapol_sm *sm)
return;
}
+ if (sm->last_rx_key_len < sizeof(*hdr) + sizeof(*key))
+ return;
hdr = (struct ieee802_1x_hdr *) sm->last_rx_key;
key = (struct ieee802_1x_eapol_key *) (hdr + 1);
- if (sizeof(*hdr) + be_to_host16(hdr->length) > sm->last_rx_key_len) {
+ plen = be_to_host16(hdr->length);
+ if (sizeof(*hdr) + plen > sm->last_rx_key_len || plen < sizeof(*key)) {
wpa_printf(MSG_WARNING, "EAPOL: Too short EAPOL-Key frame");
return;
}
@@ -711,7 +715,7 @@ static void eapol_sm_processKey(struct eapol_sm *sm)
}
wpa_printf(MSG_DEBUG, "EAPOL: EAPOL-Key key signature verified");
- key_len = be_to_host16(hdr->length) - sizeof(*key);
+ key_len = plen - sizeof(*key);
if (key_len > 32 || rx_key_length > 32) {
wpa_printf(MSG_WARNING, "EAPOL: Too long key data length %d",
key_len ? key_len : rx_key_length);