From 458cb3019108b6cb8c0c1cab94ae6ebf244eda27 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 7 Oct 2012 20:18:10 +0300 Subject: [PATCH] EAP-TLS: Add extra validation for TLS Message Length While the existing code already addresses TLS Message Length validation for both EAP-TLS peer and server side, this adds explicit checks and rejection of invalid messages in the functions handling reassembly. This does not change externally observable behavior in case of EAP server. For EAP peer, this starts rejecting invalid messages instead of addressing them by reallocating the buffer (i.e., ignoring TLS Message Length in practice). Signed-hostap: Jouni Malinen --- src/eap_peer/eap_tls_common.c | 8 ++++++++ src/eap_server/eap_server_tls_common.c | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 7eefe8c93..aedd85a79 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -829,6 +829,14 @@ const u8 * eap_peer_tls_process_init(struct eap_sm *sm, } pos += 4; left -= 4; + + if (left > tls_msg_len) { + wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d " + "bytes) smaller than this fragment (%d " + "bytes)", (int) tls_msg_len, (int) left); + ret->ignore = TRUE; + return NULL; + } } ret->ignore = FALSE; diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c index 46f282bd9..9efb5b293 100644 --- a/src/eap_server/eap_server_tls_common.c +++ b/src/eap_server/eap_server_tls_common.c @@ -297,6 +297,13 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags, tls_msg_len); *pos += 4; *left -= 4; + + if (*left > tls_msg_len) { + wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d " + "bytes) smaller than this fragment (%d " + "bytes)", (int) tls_msg_len, (int) *left); + return -1; + } } wpa_printf(MSG_DEBUG, "SSL: Received packet: Flags 0x%x "