mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-22 04:32:37 +01:00
erp: Fix buffer overflow for 32 byte SSIDs
ssid is declared as a 32 byte field in handshake_state, hence using it as a string which is assumed to be nul-terminated will fail for SSIDs that are 32 bytes long. Fixes:d938d362b2
("erp: ERP implementation and key cache move") Fixes:433373fe28
("eapol: cache ERP keys on EAP success")
This commit is contained in:
parent
8d68b33e76
commit
bdaae53cf8
@ -2531,7 +2531,7 @@ static void eapol_eap_results_cb(const uint8_t *msk_data, size_t msk_len,
|
||||
if (sm->handshake->support_fils && emsk_data && session_id)
|
||||
erp_cache_add(eap_get_identity(sm->eap), session_id,
|
||||
session_len, emsk_data, emsk_len,
|
||||
(const char *)sm->handshake->ssid);
|
||||
sm->handshake->ssid, sm->handshake->ssid_len);
|
||||
|
||||
return;
|
||||
|
||||
|
10
src/erp.c
10
src/erp.c
@ -160,13 +160,19 @@ static void erp_cache_entry_destroy(void *data)
|
||||
|
||||
void erp_cache_add(const char *id, const void *session_id,
|
||||
size_t session_len, const void *emsk, size_t emsk_len,
|
||||
const char *ssid)
|
||||
const uint8_t *ssid, size_t ssid_len)
|
||||
{
|
||||
struct erp_cache_entry *entry;
|
||||
|
||||
if (!unlikely(id || session_id || emsk))
|
||||
return;
|
||||
|
||||
if (!util_ssid_is_utf8(ssid_len, ssid))
|
||||
return;
|
||||
|
||||
if (util_ssid_is_hidden(ssid_len, ssid))
|
||||
return;
|
||||
|
||||
entry = l_new(struct erp_cache_entry, 1);
|
||||
|
||||
entry->id = l_strdup(id);
|
||||
@ -174,7 +180,7 @@ void erp_cache_add(const char *id, const void *session_id,
|
||||
entry->emsk_len = emsk_len;
|
||||
entry->session_id = l_memdup(session_id, session_len);
|
||||
entry->session_len = session_len;
|
||||
entry->ssid = l_strdup(ssid);
|
||||
entry->ssid = l_strndup((char *) ssid, ssid_len);
|
||||
entry->expire_time = l_time_offset(l_time_now(),
|
||||
ERP_DEFAULT_KEY_LIFETIME_US);
|
||||
|
||||
|
@ -43,7 +43,7 @@ const void *erp_get_rmsk(struct erp_state *erp, size_t *rmsk_len);
|
||||
|
||||
void erp_cache_add(const char *id, const void *session_id, size_t session_len,
|
||||
const void *emsk, size_t emsk_len,
|
||||
const char *ssid);
|
||||
const uint8_t *ssid, size_t ssid_len);
|
||||
|
||||
void erp_cache_remove(const char *id);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user