| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- From: Jouni Malinen <j@w1.fi>
- Date: Sun, 7 Oct 2012 17:06:29 +0000 (+0300)
- Subject: EAP-TLS server: Fix TLS Message Length validation
- X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
- EAP-TLS server: Fix TLS Message Length validation
- EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
- Message Length value properly and could end up trying to store more
- information into the message buffer than the allocated size if the first
- fragment is longer than the indicated size. This could result in hostapd
- process terminating in wpabuf length validation. Fix this by rejecting
- messages that have invalid TLS Message Length value.
- This would affect cases that use the internal EAP authentication server
- in hostapd either directly with IEEE 802.1X or when using hostapd as a
- RADIUS authentication server and when receiving an incorrectly
- constructed EAP-TLS message. Cases where hostapd uses an external
- authentication are not affected.
- Thanks to Timo Warns for finding and reporting this issue.
- Signed-hostap: Jouni Malinen <j@w1.fi>
- intended-for: hostap-1
- ---
- diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
- index 31be2ec..46f282b 100644
- --- a/src/eap_server/eap_server_tls_common.c
- +++ b/src/eap_server/eap_server_tls_common.c
- @@ -228,6 +228,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
- return -1;
- }
-
- + if (len > message_length) {
- + wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
- + "first fragment of frame (TLS Message "
- + "Length %d bytes)",
- + (int) len, (int) message_length);
- + return -1;
- + }
- +
- data->tls_in = wpabuf_alloc(message_length);
- if (data->tls_in == NULL) {
- wpa_printf(MSG_DEBUG, "SSL: No memory for message");
|
