From b7c61c9d4e968e7254112631a9f6a1a1f8ef6f7f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 14 Jun 2014 00:20:04 +0300 Subject: [PATCH] Fix validation of EAPOL-Key length with AES key wrap (CID 62859) The additional eight octet field was removed from keydatalen without proper validation of the Key Data Length field. It would have been possible for an invalid EAPOL-Key frame to be processed in a way that ends up reading beyond the buffer. In theory, this could have also resulted in writing beyond the EAPOL-Key frame buffer, but that is unlikely to be feasible due to the AES key wrap validation step on arbitrary memory contents. Signed-off-by: Jouni Malinen --- src/rsn_supp/wpa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index ba2a8c87d..d31de4567 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -1501,7 +1501,7 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || sm->key_mgmt == WPA_KEY_MGMT_OSEN) { u8 *buf; - if (keydatalen % 8) { + if (keydatalen < 8 || keydatalen % 8) { wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: Unsupported AES-WRAP len %d", keydatalen);