EAP-FAST server: Fix potential read-after-buffer (by one byte)
The special PAC_OPAQUE_TYPE_PAD case did not skip incrementing of the pos pointer and could result in one octet read-after-buffer when parsing the PAC-Opaque data. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
8b65fefeed
commit
e8c08c9a36
1 changed files with 2 additions and 1 deletions
|
@ -187,7 +187,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
|
|||
switch (*pos) {
|
||||
case PAC_OPAQUE_TYPE_PAD:
|
||||
pos = end;
|
||||
break;
|
||||
goto done;
|
||||
case PAC_OPAQUE_TYPE_KEY:
|
||||
if (pos[1] != EAP_FAST_PAC_KEY_LEN) {
|
||||
wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
|
||||
|
@ -218,6 +218,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
|
|||
|
||||
pos += 2 + pos[1];
|
||||
}
|
||||
done:
|
||||
|
||||
if (pac_key == NULL) {
|
||||
wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in "
|
||||
|
|
Loading…
Reference in a new issue