3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-27 10:52:47 +01:00

eap: Fix invalid access

When the server sends an identity prompt or a notification, we were
trying to print from our local buffer, not from the actual packet.  The
relevant valgrind trace is:

src/netdev.c:netdev_mlme_notify() MLME notification 64
==4300== Conditional jump or move depends on uninitialised value(s)
==4300==    at 0x4C3006E: strnlen (vg_replace_strmem.c:425)
==4300==    by 0x508C513: vfprintf (vfprintf.c:1643)
==4300==    by 0x508EB75: buffered_vfprintf (vfprintf.c:2329)
==4300==    by 0x508C1A1: vfprintf (vfprintf.c:1301)
==4300==    by 0x167051: log_stderr (log.c:145)
==4300==    by 0x16756E: l_log_with_location (log.c:293)
==4300==    by 0x142173: __eap_handle_request (eap.c:235)
==4300==    by 0x142339: eap_rx_packet (eap.c:287)
==4300==    by 0x12AEF9: eapol_rx_packet (eapol.c:1622)
==4300==    by 0x12BBBC: __eapol_rx_packet (eapol.c:2018)
==4300==    by 0x116D1E: netdev_pae_read (netdev.c:3121)
==4300==    by 0x16672B: io_callback (io.c:123)
==4300==
EAP identity prompt: ""
This commit is contained in:
Denis Kenzior 2018-05-18 09:46:12 -05:00
parent 96bc9180ec
commit 56eeaf7b7a

View File

@ -233,7 +233,7 @@ void __eap_handle_request(struct eap_state *eap, uint16_t id,
case EAP_TYPE_IDENTITY:
if (len >= 2)
l_warn("EAP identity prompt: \"%.*s\"",
(int) len - 1, buf + 1);
(int) len - 1, pkt + 1);
eap_send_identity_response(eap, eap->identity);
@ -244,7 +244,7 @@ void __eap_handle_request(struct eap_state *eap, uint16_t id,
/* Invalid packets to be ignored */
return;
l_warn("EAP notification: \"%.*s\"", (int) len - 1, buf + 1);
l_warn("EAP notification: \"%.*s\"", (int) len - 1, pkt + 1);
eap_send_response(eap, EAP_TYPE_NOTIFICATION, buf, 5);