hostapd/src/eap_server
Jouni Malinen e28a58be26 EAP-pwd server: Fix payload length validation for Commit and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
..
eap.h Declare all read only data structures as const 2015-04-25 17:33:06 +03:00
eap_i.h Declare all read only data structures as const 2015-04-25 17:33:06 +03:00
eap_methods.h HS 2.0R2: Add WFA server-only EAP-TLS server method 2014-02-26 01:24:25 +02:00
eap_server.c Declare all read only data structures as const 2015-04-25 17:33:06 +03:00
eap_server_aka.c EAP server: Add getSessionId 2014-11-30 15:53:11 +02:00
eap_server_eke.c EAP server: Clear keying material on deinit 2014-07-02 12:38:48 +03:00
eap_server_fast.c eap_server: Avoid NULL pointer dereference in eap_fast_encrypt_phase2() 2015-01-20 02:11:59 +02:00
eap_server_gpsk.c EAP server: Add getSessionId 2014-11-30 15:53:11 +02:00
eap_server_gtc.c EAP-GTC: Use os_memcmp_const() for hash/password comparisons 2014-07-02 12:38:48 +03:00
eap_server_identity.c RADIUS/EAP server: Use longer username buffer to avoid truncation 2014-06-02 17:36:51 +03:00
eap_server_ikev2.c EAP-IKEv2: Add explicit limit for maximum message length 2014-12-21 00:25:16 +02:00
eap_server_md5.c EAP-MD5: Use os_memcmp_const() for hash/password comparisons 2014-07-02 12:38:47 +03:00
eap_server_methods.c Avoid NULL string in printf on EAP method names in authenticator 2015-01-20 02:07:22 +02:00
eap_server_mschapv2.c EAP server: Add debug prints to help asleap testing 2015-03-29 22:49:16 +03:00
eap_server_pax.c EAP-PAX: Derive EAP Session-Id 2014-12-01 01:46:07 +02:00
eap_server_peap.c EAP-PEAP server: Add support for negotiating vendor for Phase 2 2015-04-01 12:57:11 +03:00
eap_server_psk.c EAP server: Add getSessionId 2014-11-30 15:53:11 +02:00
eap_server_pwd.c EAP-pwd server: Fix payload length validation for Commit and Confirm 2015-05-03 18:26:50 +03:00
eap_server_sake.c EAP server: Add getSessionId 2014-11-30 15:53:11 +02:00
eap_server_sim.c EAP server: Add getSessionId 2014-11-30 15:53:11 +02:00
eap_server_tls.c EAP-TLS server: Clear temporary buffer during EMSK derivation 2014-12-01 01:28:19 +02:00
eap_server_tls_common.c Make tls_connection_get_keyblock_size() internal to tls_*.c 2015-04-01 12:56:54 +03:00
eap_server_tnc.c EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873) 2014-06-13 16:03:45 +03:00
eap_server_ttls.c EAP server: Add debug prints to help asleap testing 2015-03-29 22:49:16 +03:00
eap_server_vendor_test.c Use proper private enterprise number for EAP VENDOR-TEST 2012-08-22 21:37:19 +03:00
eap_server_wsc.c WPS: Add explicit message length limit of 50000 bytes 2014-11-23 21:03:40 +02:00
eap_sim_db.c Check os_snprintf() result more consistently - manual 2014-12-08 11:42:07 +02:00
eap_sim_db.h EAP-SIM DB: Use pointer to struct eap_sim_db_data instead of void* 2012-09-01 21:48:48 +03:00
eap_tls_common.h EAP server: Add getSessionId 2014-11-30 15:53:11 +02:00
ikev2.c EAP-IKEv2: Use os_memcmp_const() for hash/password comparisons 2014-07-02 12:38:47 +03:00
ikev2.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
Makefile tests: Add ap-mgmt-fuzzer 2015-04-22 11:44:19 +03:00
tncs.c TNC: Allow TNC to be enabled dynamically 2014-05-17 20:05:55 +03:00
tncs.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00