DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-AKA: Validate RES Length field in AT_RES

Browse source 
This change breaks interoperability with older wpa_supplicant versions
(everything up to and including wpa_supplicant 0.5.10 and 0.6.5) which
incorrectly used this field as number of bytes, not bits, in RES.
This commit is contained in:
Jouni Malinen 2008-11-07 08:34:07 +02:00 committed by Jouni Malinen
parent fa71a1d84a
commit 04a5bad682
3 changed files with 13 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/eap_server/eap_aka.c
View file

@ -666,10 +666,19 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
return;
}
if (attr->res == NULL || attr->res_len != data->res_len ||
/*
* AT_RES is padded, so verify that there is enough room for RES and
* that the RES length in bits matches with the expected RES.
*/
if (attr->res == NULL || attr->res_len < data->res_len ||
attr->res_len_bits != data->res_len * 8 ||
os_memcmp(attr->res, data->res, data->res_len) != 0) {
wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message did not "
"include valid AT_RES");
"include valid AT_RES (attr len=%lu, res len=%lu "
"bits, expected %lu bits)",
(unsigned long) attr->res_len,
(unsigned long) attr->res_len_bits,
(unsigned long) data->res_len);
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
return;