From 13cb0a66d5ac4d4cda6cd565781a440229e642f0 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 22 Dec 2015 00:03:44 +0200
Subject: [PATCH] EAP-EKE: Reject too long Prot() data when building a frame

This error case in own buffer lengths being too short was not handled
properly. While this should not really happen since the wpabuf
allocation is made large for the fixed cases that are currently
supported, better make eap_eke_prot() safer if this functionally ever
gets extended with a longer buffer need.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/eap_common/eap_eke_common.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/eap_common/eap_eke_common.c b/src/eap_common/eap_eke_common.c
index 4dfdb3f9c..b603e32b3 100644
--- a/src/eap_common/eap_eke_common.c
+++ b/src/eap_common/eap_eke_common.c
@@ -635,6 +635,7 @@ int eap_eke_prot(struct eap_eke_session *sess,
 
 	if (*prot_len < block_size + data_len + pad + icv_len) {
 		wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data");
+		return -1;
 	}
 	pos = prot;