aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2012-10-07 17:06:29 (GMT)
committerJouni Malinen <j@w1.fi>2012-10-07 17:59:01 (GMT)
commitf3043318970a98c98e968ed17b3e2f49dc42c646 (patch)
tree3434e3218727427b6f025b38fb8c86729c4883ca
parent6e4d241df33b3bd6935f74f45f2f1161df889268 (diff)
downloadhostap-07-master.zip
hostap-07-master.tar.gz
hostap-07-master.tar.bz2
EAP-TLS server: Fix TLS Message Length validationHEADmaster
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS Message Length value properly and could end up trying to store more information into the message buffer than the allocated size if the first fragment is longer than the indicated size. This could result in hostapd process terminating in wpabuf length validation. Fix this by rejecting messages that have invalid TLS Message Length value. This would affect cases that use the internal EAP authentication server in hostapd either directly with IEEE 802.1X or when using hostapd as a RADIUS authentication server and when receiving an incorrectly constructed EAP-TLS message. Cases where hostapd uses an external authentication are not affected. Thanks to Timo Warns for finding and reporting this issue. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1 (cherry picked from commit 586c446e0ff42ae00315b014924ec669023bd8de)
-rw-r--r--src/eap_server/eap_server_tls_common.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 25ae683..625ff52 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
+
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");