Kernel
/
iwd
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git
3
0
Fork 0
Code Releases Activity

eap-pwd: add length checks for fragmented packets

This commit is contained in:
James Prestwood 2022-01-19 10:13:02 -08:00 committed by Denis Kenzior
parent e500511490
commit ac78076663
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/eap-pwd.c
View File

@ -669,6 +669,14 @@ static void eap_pwd_handle_request(struct eap_state *eap,
/* remove length of Total-Length parameter (2) */ /* remove length of Total-Length parameter (2) */
pwd->rx_frag_total = l_get_be16(pkt + 1) - 2; pwd->rx_frag_total = l_get_be16(pkt + 1) - 2;
if (pwd->rx_frag_total < len - 2) {
l_error("Total-Length too small for remaining length");
pwd->rx_frag_total = 0;
return;
}
pwd->rx_frag_buf = l_malloc(pwd->rx_frag_total); pwd->rx_frag_buf = l_malloc(pwd->rx_frag_total);
/* skip copying Total-Length for easier processing later */ /* skip copying Total-Length for easier processing later */
@ -687,6 +695,12 @@ static void eap_pwd_handle_request(struct eap_state *eap,
/* more rx fragments */ /* more rx fragments */
if (pwd->rx_frag_buf) { if (pwd->rx_frag_buf) {
if (pwd->rx_frag_total - pwd->rx_frag_count <
(uint16_t) len - 1) {
l_error("Not enough room for fragment (%zu)", len - 1);
return;
}
/* continue building packet (not including PWD-Exch byte) */ /* continue building packet (not including PWD-Exch byte) */
memcpy(pwd->rx_frag_buf + pwd->rx_frag_count, pkt + 1, len - 1); memcpy(pwd->rx_frag_buf + pwd->rx_frag_count, pkt + 1, len - 1);
pwd->rx_frag_count += (len - 1); pwd->rx_frag_count += (len - 1);