Kernel
/
iwd
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git
3
0
Fork 0
Code Releases Activity

eap-sim: Fix EAP-SIM version list length checks 

The AT_VERSION_LIST attribute length was not being properly
checked. The actual length check did not include possible padding
bytes, so align_len() was added to ensure it was padded properly.
The comment about the padding being included in the Master Key
generation was not correct (padding is NOT included), and was removed.
This commit is contained in:
James Prestwood 2017-08-22 10:24:12 -07:00 committed by Denis Kenzior
parent 23af935e7b
commit 417367e272
1 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/eap-sim.c
View File

@ -31,6 +31,7 @@
#include "crypto.h"
#include "simutil.h"
#include "util.h"
#include "src/dbus.h"
/*
@ -223,24 +224,20 @@ static void handle_start(struct eap_state *eap, const uint8_t *pkt,
switch (eap_sim_tlv_iter_get_type(&iter)) {
case EAP_SIM_AT_VERSION_LIST:
if (length < 2) {
/* Actual len (2) + version 1 (2) + padding (2) */
if (length < 6) {
l_error("AT_VERSION_LIST was malformed");
goto start_error;
}
sim->vlist_len = l_get_be16(contents);
if (length < 2 + sim->vlist_len) {
/* check that attribute was properly padded */
if (length < 2 + align_len(sim->vlist_len, 4)) {
l_error("AT_VERSION_LIST was malformed");
goto start_error;
}
/*
* The version list is stored as-is (including
* padding). This does mean that there is potential
* for padding bytes at the end, but this is expected
* when generating the Master Key.
*/
sim->vlist = l_memdup(contents + 2, sim->vlist_len);
sim->selected_version = sim->vlist[0];