From 417367e272b70fd5b1fc7dd9617ce36201fec54a Mon Sep 17 00:00:00 2001
From: James Prestwood <james.prestwood@linux.intel.com>
Date: Tue, 22 Aug 2017 10:24:12 -0700
Subject: [PATCH] eap-sim: Fix EAP-SIM version list length checks

The AT_VERSION_LIST attribute length was not being properly
checked. The actual length check did not include possible padding
bytes, so align_len() was added to ensure it was padded properly.
The comment about the padding being included in the Master Key
generation was not correct (padding is NOT included), and was removed.
---
 src/eap-sim.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/src/eap-sim.c b/src/eap-sim.c
index 4f6b412e..cfba78c9 100644
--- a/src/eap-sim.c
+++ b/src/eap-sim.c
@@ -31,6 +31,7 @@
 
 #include "crypto.h"
 #include "simutil.h"
+#include "util.h"
 #include "src/dbus.h"
 
 /*
@@ -223,24 +224,20 @@ static void handle_start(struct eap_state *eap, const uint8_t *pkt,
 
 		switch (eap_sim_tlv_iter_get_type(&iter)) {
 		case EAP_SIM_AT_VERSION_LIST:
-			if (length < 2) {
+			/* Actual len (2) + version 1 (2) + padding (2) */
+			if (length < 6) {
 				l_error("AT_VERSION_LIST was malformed");
 				goto start_error;
 			}
 
 			sim->vlist_len = l_get_be16(contents);
 
-			if (length < 2 + sim->vlist_len) {
+			/* check that attribute was properly padded */
+			if (length < 2 + align_len(sim->vlist_len, 4)) {
 				l_error("AT_VERSION_LIST was malformed");
 				goto start_error;
 			}
 
-			/*
-			 * The version list is stored as-is (including
-			 * padding). This does mean that there is potential
-			 * for padding bytes at the end, but this is expected
-			 * when generating the Master Key.
-			 */
 			sim->vlist = l_memdup(contents + 2, sim->vlist_len);
 
 			sim->selected_version = sim->vlist[0];