From 87fcb5a735f0deb2c7528e363f27c09d2e501ba3 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 2 May 2015 18:18:51 +0300 Subject: [PATCH] EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length validation The req_plen argument to eap_pax_process_std_1() and eap_pax_process_std_3() could be smaller than sizeof(struct eap_pax_hdr) since the main processing function was only verifying that there is enough room for the ICV and then removed ICV length from the remaining payload length. In theory, this could have resulted in the size_t left parameter being set to a negative value that would be interpreted as a huge positive integer. That could then result in a small buffer read overflow and process termination if MSGDUMP debug verbosity was in use. In practice, it does not seem to be feasible to construct a short message that would be able to pass the ICV validation (calculated using HMAC-SHA1-128) even for the case where an empty password is used. Anyway, the implementation should really check the length explicitly instead of depending on implicit check through ICV validation. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_pax.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/eap_peer/eap_pax.c b/src/eap_peer/eap_pax.c index 6d1ff208a..c920bcd31 100644 --- a/src/eap_peer/eap_pax.c +++ b/src/eap_peer/eap_pax.c @@ -333,7 +333,7 @@ static struct wpabuf * eap_pax_process(struct eap_sm *sm, void *priv, u16 flen, mlen; pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PAX, reqData, &len); - if (pos == NULL || len < EAP_PAX_ICV_LEN) { + if (pos == NULL || len < sizeof(*req) + EAP_PAX_ICV_LEN) { ret->ignore = TRUE; return NULL; }