eap-pwd: add length checks for fragmented packets

2025-10-31 13:17:25 +01:00 · 2022-01-19 10:13:02 -08:00 · 2022-01-19 10:13:02 -08:00 · ac78076663
commit ac78076663
parent e500511490
1 changed files with 14 additions and 0 deletions
--- a/src/eap-pwd.c
+++ b/src/eap-pwd.c
@ -669,6 +669,14 @@ static void eap_pwd_handle_request(struct eap_state *eap,

 		/* remove length of Total-Length parameter (2) */
 		pwd->rx_frag_total = l_get_be16(pkt + 1) - 2;
+
+		if (pwd->rx_frag_total < len - 2) {
+			l_error("Total-Length too small for remaining length");
+			pwd->rx_frag_total = 0;
+
+			return;
+		}
+
 		pwd->rx_frag_buf = l_malloc(pwd->rx_frag_total);

 		/* skip copying Total-Length for easier processing later */
@ -687,6 +695,12 @@ static void eap_pwd_handle_request(struct eap_state *eap,

 	/* more rx fragments */
 	if (pwd->rx_frag_buf) {
+		if (pwd->rx_frag_total - pwd->rx_frag_count <
+						(uint16_t) len - 1) {
+			l_error("Not enough room for fragment (%zu)", len - 1);
+			return;
+
+		}
 		/* continue building packet (not including PWD-Exch byte) */
 		memcpy(pwd->rx_frag_buf + pwd->rx_frag_count, pkt + 1, len - 1);
 		pwd->rx_frag_count += (len - 1);