0d84226850
- Rebase "EAP-TLS server" patch to 2.3
49 lines
1.7 KiB
Diff
49 lines
1.7 KiB
Diff
From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <j@w1.fi>
|
|
Date: Sun, 7 Oct 2012 20:06:29 +0300
|
|
Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation
|
|
|
|
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
|
|
Message Length value properly and could end up trying to store more
|
|
information into the message buffer than the allocated size if the first
|
|
fragment is longer than the indicated size. This could result in hostapd
|
|
process terminating in wpabuf length validation. Fix this by rejecting
|
|
messages that have invalid TLS Message Length value.
|
|
|
|
This would affect cases that use the internal EAP authentication server
|
|
in hostapd either directly with IEEE 802.1X or when using hostapd as a
|
|
RADIUS authentication server and when receiving an incorrectly
|
|
constructed EAP-TLS message. Cases where hostapd uses an external
|
|
authentication are not affected.
|
|
|
|
Thanks to Timo Warns for finding and reporting this issue.
|
|
|
|
Signed-hostap: Jouni Malinen <j@w1.fi>
|
|
intended-for: hostap-1
|
|
---
|
|
src/eap_server/eap_server_tls_common.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
|
|
index 31be2ec..46f282b 100644
|
|
--- a/src/eap_server/eap_server_tls_common.c
|
|
+++ b/src/eap_server/eap_server_tls_common.c
|
|
@@ -261,6 +261,14 @@
|
|
return -1;
|
|
}
|
|
|
|
+ if (len > message_length) {
|
|
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
|
|
+ "first fragment of frame (TLS Message "
|
|
+ "Length %d bytes)",
|
|
+ (int) len, (int) message_length);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
data->tls_in = wpabuf_alloc(message_length);
|
|
if (data->tls_in == NULL) {
|
|
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
|
|
--
|
|
1.7.11.4
|
|
|