EAP-TLS: Add extra validation for TLS Message Length
This commit is contained in:
John W. Linville
parent
438eb5ef36
commit
11cd48b17f
@ -0,0 +1,48 @@
|
||||
From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sun, 7 Oct 2012 20:06:29 +0300
|
||||
Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation
|
||||
|
||||
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
|
||||
Message Length value properly and could end up trying to store more
|
||||
information into the message buffer than the allocated size if the first
|
||||
fragment is longer than the indicated size. This could result in hostapd
|
||||
process terminating in wpabuf length validation. Fix this by rejecting
|
||||
messages that have invalid TLS Message Length value.
|
||||
|
||||
This would affect cases that use the internal EAP authentication server
|
||||
in hostapd either directly with IEEE 802.1X or when using hostapd as a
|
||||
RADIUS authentication server and when receiving an incorrectly
|
||||
constructed EAP-TLS message. Cases where hostapd uses an external
|
||||
authentication are not affected.
|
||||
|
||||
Thanks to Timo Warns for finding and reporting this issue.
|
||||
|
||||
Signed-hostap: Jouni Malinen <j@w1.fi>
|
||||
intended-for: hostap-1
|
||||
---
|
||||
src/eap_server/eap_server_tls_common.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
|
||||
index 31be2ec..46f282b 100644
|
||||
--- a/src/eap_server/eap_server_tls_common.c
|
||||
+++ b/src/eap_server/eap_server_tls_common.c
|
||||
@@ -228,6 +228,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (len > message_length) {
|
||||
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
|
||||
+ "first fragment of frame (TLS Message "
|
||||
+ "Length %d bytes)",
|
||||
+ (int) len, (int) message_length);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
data->tls_in = wpabuf_alloc(message_length);
|
||||
if (data->tls_in == NULL) {
|
||||
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
|
||||
--
|
||||
1.7.11.4
|
||||
|
||||
10
hostapd.spec
10
hostapd.spec
@ -1,6 +1,6 @@
|
||||
Name: hostapd
|
||||
Version: 1.0
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
|
||||
Group: System Environment/Daemons
|
||||
License: BSD
|
||||
@ -11,6 +11,7 @@ Source1: %{name}.service
|
||||
Source2: %{name}.conf
|
||||
Source3: %{name}.sysconfig
|
||||
Patch0: hostapd-RPM_OPT_FLAGS.patch
|
||||
Patch1: hostapd-EAP-TLS-server-Fix-TLS-Message-Length-validation.patch
|
||||
|
||||
BuildRequires: libnl-devel >= 1.1
|
||||
BuildRequires: openssl-devel
|
||||
@ -47,6 +48,10 @@ Logwatch scripts for hostapd
|
||||
# Hack Makefile to allow use of RPM_OPT_FLAGS
|
||||
%patch0 -p1
|
||||
|
||||
# git://w1.fi/srv/git/hostap.git
|
||||
# commit 586c446e0ff42ae00315b014924ec669023bd8de
|
||||
%patch1 -p1
|
||||
|
||||
# Prepare default config file
|
||||
cat %{SOURCE2} | sed -e 's/HOSTAPD_VERSION/'%{version}'/' > hostapd.conf
|
||||
|
||||
@ -163,6 +168,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Oct 8 2012 John W. Linville <linville@redhat.com> - 1.0-3
|
||||
- EAP-TLS: Add extra validation for TLS Message Length
|
||||
|
||||
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user