aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-04-16 22:55:32 (GMT)
committerJouni Malinen <j@w1.fi>2019-04-16 23:23:31 (GMT)
commitfe76f487e28bdc61940f304f153a954cf36935ea (patch)
tree4652bdca012625831907213c7a4993b1568e3745
parenta9d224f560be8a7761c00681d48da4bd0b57225b (diff)
downloadhostap-fe76f487e28bdc61940f304f153a954cf36935ea.zip
hostap-fe76f487e28bdc61940f304f153a954cf36935ea.tar.gz
hostap-fe76f487e28bdc61940f304f153a954cf36935ea.tar.bz2
EAP-pwd server: Fix reassembly buffer handling
data->inbuf allocation might fail and if that were to happen, the next fragment in the exchange could have resulted in NULL pointer dereference. Unexpected fragment with more bit might also be able to trigger this. Fix that by explicitly checking for data->inbuf to be available before using it. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/eap_server/eap_server_pwd.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 11bef55..38e2af8 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -912,6 +912,12 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* the first and all intermediate fragments have the M bit set
*/
if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if (!data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: No buffer for reassembly");
+ eap_pwd_state(data, FAILURE);
+ return;
+ }
if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
"attack detected! (%d+%d > %d)",
@@ -932,7 +938,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* last fragment won't have the M bit set (but we're obviously
* buffering fragments so that's how we know it's the last)
*/
- if (data->in_frag_pos) {
+ if (data->in_frag_pos && data->inbuf) {
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",