From 7699c8ab1ec8247be11a135d12fe23e8f60108dc Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Tue, 30 Oct 2018 15:14:11 -0500
Subject: [PATCH] eap-ttls: Handle redundant L flags

Some of the TTLS server implementations set the L flag in the fragment
packets other than the first one. To stay interoperable with such devices,
iwd is relaxing the L bit check.
---
 src/eap-ttls.c | 49 +++++++++++++++++++++++++++----------------------
 1 file changed, 27 insertions(+), 22 deletions(-)

diff --git a/src/eap-ttls.c b/src/eap-ttls.c
index 33bd06e8..2c1a9256 100644
--- a/src/eap-ttls.c
+++ b/src/eap-ttls.c
@@ -443,6 +443,8 @@ static void eap_ttls_free(struct eap_state *eap)
 #define EAP_TTLS_FLAG_S	(1 << 5)
 #define EAP_TTLS_FLAG_MASK	\
 	(EAP_TTLS_FLAG_L | EAP_TTLS_FLAG_M | EAP_TTLS_FLAG_S)
+#define EAP_TTLS_FLAG_LM_MASK	\
+	(EAP_TTLS_FLAG_L | EAP_TTLS_FLAG_M)
 
 struct phase2_credentials {
 	char *username;
@@ -912,8 +914,15 @@ static void eap_ttls_handle_request(struct eap_state *eap,
 		goto err;
 	}
 
+	/* Sanity check that first fragmented request has L flag set */
+	if ((flags & EAP_TTLS_FLAG_LM_MASK) == EAP_TTLS_FLAG_M &&
+				!ttls->rx_pkt_buf) {
+		l_error("EAP-TTLS request 1st fragment with no length");
+		goto err;
+	}
+
 	if (flags & EAP_TTLS_FLAG_L) {
-		if (len < 7) {
+		if (len < 4) {
 			l_error("EAP-TTLS request with L flag too short");
 			goto err;
 		}
@@ -922,35 +931,31 @@ static void eap_ttls_handle_request(struct eap_state *eap,
 		pkt += 4;
 		len -= 4;
 
-		if (ttls->rx_pkt_buf) {
-			l_error("EAP-TTLS request L flag invalid");
+		if (flags & EAP_TTLS_FLAG_M) {
+			if (ttls->rx_pkt_buf)
+				goto add_to_pkt_buf;
 
-			l_free(ttls->rx_pkt_buf);
-			ttls->rx_pkt_buf = NULL;
+			if (total_len > 512*1024) {
+				l_error("Maximum message size exceeded");
+				goto err;
+			}
 
-			goto err;
-		}
-
-		if (!(flags & EAP_TTLS_FLAG_M) && total_len != len) {
+			ttls->rx_pkt_buf = l_malloc(total_len);
+			ttls->rx_pkt_len = total_len;
+			ttls->rx_pkt_received = 0;
+			goto add_to_pkt_buf;
+		} else if (total_len != len && !ttls->rx_pkt_buf) {
+			/*
+			 * Sanity check length for unfragmented request
+			 * with L flag set
+			 */
 			l_error("EAP-TTLS request Length value invalid");
-
 			goto err;
 		}
 	}
 
-	if (!ttls->rx_pkt_buf && (flags & EAP_TTLS_FLAG_M)) {
-		if (!(flags & EAP_TTLS_FLAG_L)) {
-			l_error("EAP-TTLS request 1st fragment with no length");
-
-			goto err;
-		}
-
-		ttls->rx_pkt_buf = l_malloc(total_len);
-		ttls->rx_pkt_len = total_len;
-		ttls->rx_pkt_received = 0;
-	}
-
 	if (ttls->rx_pkt_buf) {
+add_to_pkt_buf:
 		if (
 				((flags & EAP_TTLS_FLAG_M) &&
 				 ttls->rx_pkt_received + len >=