6c40914c0c
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141) - EAP-pwd peer: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd server: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd peer: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd server: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146) - NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041) - WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use (CVE-2015-5310) - EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315) - EAP-pwd server: Fix last fragment length validation (CVE-2015-5314) - EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316) Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> SVN-Revision: 48185
52 lines
1.8 KiB
Diff
52 lines
1.8 KiB
Diff
From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
|
|
From: Jouni Malinen <j@w1.fi>
|
|
Date: Sat, 2 May 2015 19:23:04 +0300
|
|
Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
|
|
reassembly
|
|
|
|
The remaining number of bytes in the message could be smaller than the
|
|
Total-Length field size, so the length needs to be explicitly checked
|
|
prior to reading the field and decrementing the len variable. This could
|
|
have resulted in the remaining length becoming negative and interpreted
|
|
as a huge positive integer.
|
|
|
|
In addition, check that there is no already started fragment in progress
|
|
before allocating a new buffer for reassembling fragments. This avoid a
|
|
potential memory leak when processing invalid message.
|
|
|
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
---
|
|
src/eap_peer/eap_pwd.c | 12 ++++++++++++
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
|
|
index a629437..1d2079b 100644
|
|
--- a/src/eap_peer/eap_pwd.c
|
|
+++ b/src/eap_peer/eap_pwd.c
|
|
@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
|
|
* if it's the first fragment there'll be a length field
|
|
*/
|
|
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
|
|
+ if (len < 2) {
|
|
+ wpa_printf(MSG_DEBUG,
|
|
+ "EAP-pwd: Frame too short to contain Total-Length field");
|
|
+ ret->ignore = TRUE;
|
|
+ return NULL;
|
|
+ }
|
|
tot_len = WPA_GET_BE16(pos);
|
|
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
|
|
"total length = %d", tot_len);
|
|
if (tot_len > 15000)
|
|
return NULL;
|
|
+ if (data->inbuf) {
|
|
+ wpa_printf(MSG_DEBUG,
|
|
+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
|
|
+ ret->ignore = TRUE;
|
|
+ return NULL;
|
|
+ }
|
|
data->inbuf = wpabuf_alloc(tot_len);
|
|
if (data->inbuf == NULL) {
|
|
wpa_printf(MSG_INFO, "Out of memory to buffer "
|
|
--
|
|
1.9.1
|
|
|