mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-22 21:22:37 +01:00
eap-pwd: fixup some minor bounds checking issues
This commit is contained in:
parent
6a28cd5527
commit
322f32295d
@ -379,11 +379,6 @@ static void eap_pwd_handle_commit(struct eap_state *eap,
|
|||||||
|
|
||||||
pwd->state = EAP_PWD_STATE_COMMIT;
|
pwd->state = EAP_PWD_STATE_COMMIT;
|
||||||
|
|
||||||
if (len < 96) {
|
|
||||||
l_error("commit request packet was too small");
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* RFC 5114 Section 2.6 - 256-bit Random ECP Group
|
* RFC 5114 Section 2.6 - 256-bit Random ECP Group
|
||||||
* Prime p is 32 bytes in length, therefore x and y will also each be
|
* Prime p is 32 bytes in length, therefore x and y will also each be
|
||||||
@ -565,6 +560,9 @@ static void eap_pwd_process(struct eap_state *eap,
|
|||||||
{
|
{
|
||||||
uint8_t pwd_exch = util_bit_field(pkt[0], 0, 6);
|
uint8_t pwd_exch = util_bit_field(pkt[0], 0, 6);
|
||||||
|
|
||||||
|
if (len < 1)
|
||||||
|
return;
|
||||||
|
|
||||||
switch (pwd_exch) {
|
switch (pwd_exch) {
|
||||||
case EAP_PWD_EXCH_ID:
|
case EAP_PWD_EXCH_ID:
|
||||||
eap_pwd_handle_id(eap, pkt + 1, len - 1);
|
eap_pwd_handle_id(eap, pkt + 1, len - 1);
|
||||||
@ -654,6 +652,11 @@ static void eap_pwd_handle_request(struct eap_state *eap,
|
|||||||
|
|
||||||
/* first rx fragment */
|
/* first rx fragment */
|
||||||
if (len_bit) {
|
if (len_bit) {
|
||||||
|
if (len < 3) {
|
||||||
|
l_error("malformed packet");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
/* remove length of Total-Length parameter (2) */
|
/* remove length of Total-Length parameter (2) */
|
||||||
pwd->rx_frag_total = l_get_be16(pkt + 1) - 2;
|
pwd->rx_frag_total = l_get_be16(pkt + 1) - 2;
|
||||||
pwd->rx_frag_buf = l_malloc(pwd->rx_frag_total);
|
pwd->rx_frag_buf = l_malloc(pwd->rx_frag_total);
|
||||||
|
Loading…
Reference in New Issue
Block a user