From 5a55c9b4112d009f68203d2cb75fed2a738299e5 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 10 Oct 2015 18:38:37 +0300 Subject: [PATCH] Fix MSCHAP UTF-8 to UCS-2 conversion check for three-byte encoding The utf8_string_len comparison was off by one and ended up accepting a truncated three-byte encoded UTF-8 character at the end of the string if the octet was missing. Since the password string gets null terminated in the configuration, this did not result in reading beyond the buffer, but anyway, it is better to explicitly reject the string rather than try to use an incorrectly encoded UTF-8 string as the password. Signed-off-by: Jouni Malinen --- src/crypto/ms_funcs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/crypto/ms_funcs.c b/src/crypto/ms_funcs.c index 053d203cb..d0d6a96af 100644 --- a/src/crypto/ms_funcs.c +++ b/src/crypto/ms_funcs.c @@ -48,7 +48,7 @@ static int utf8_to_ucs2(const u8 *utf8_string, size_t utf8_string_len, WPA_PUT_LE16(ucs2_buffer + j, ((c & 0x1F) << 6) | (c2 & 0x3F)); j += 2; - } else if (i == utf8_string_len || + } else if (i == utf8_string_len - 1 || j >= ucs2_buffer_size - 1) { /* incomplete surrogate */ return -1;