3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-22 04:32:37 +01:00

erp: Fix buffer overflow for 32 byte SSIDs

ssid is declared as a 32 byte field in handshake_state, hence using it
as a string which is assumed to be nul-terminated will fail for SSIDs
that are 32 bytes long.

Fixes: d938d362b2 ("erp: ERP implementation and key cache move")
Fixes: 433373fe28 ("eapol: cache ERP keys on EAP success")
This commit is contained in:
Denis Kenzior 2023-11-26 22:38:46 -06:00 committed by Marcel Holtmann
parent 8d68b33e76
commit bdaae53cf8
3 changed files with 10 additions and 4 deletions

View File

@ -2531,7 +2531,7 @@ static void eapol_eap_results_cb(const uint8_t *msk_data, size_t msk_len,
if (sm->handshake->support_fils && emsk_data && session_id)
erp_cache_add(eap_get_identity(sm->eap), session_id,
session_len, emsk_data, emsk_len,
(const char *)sm->handshake->ssid);
sm->handshake->ssid, sm->handshake->ssid_len);
return;

View File

@ -160,13 +160,19 @@ static void erp_cache_entry_destroy(void *data)
void erp_cache_add(const char *id, const void *session_id,
size_t session_len, const void *emsk, size_t emsk_len,
const char *ssid)
const uint8_t *ssid, size_t ssid_len)
{
struct erp_cache_entry *entry;
if (!unlikely(id || session_id || emsk))
return;
if (!util_ssid_is_utf8(ssid_len, ssid))
return;
if (util_ssid_is_hidden(ssid_len, ssid))
return;
entry = l_new(struct erp_cache_entry, 1);
entry->id = l_strdup(id);
@ -174,7 +180,7 @@ void erp_cache_add(const char *id, const void *session_id,
entry->emsk_len = emsk_len;
entry->session_id = l_memdup(session_id, session_len);
entry->session_len = session_len;
entry->ssid = l_strdup(ssid);
entry->ssid = l_strndup((char *) ssid, ssid_len);
entry->expire_time = l_time_offset(l_time_now(),
ERP_DEFAULT_KEY_LIFETIME_US);

View File

@ -43,7 +43,7 @@ const void *erp_get_rmsk(struct erp_state *erp, size_t *rmsk_len);
void erp_cache_add(const char *id, const void *session_id, size_t session_len,
const void *emsk, size_t emsk_len,
const char *ssid);
const uint8_t *ssid, size_t ssid_len);
void erp_cache_remove(const char *id);