3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-22 21:22:37 +01:00

peap: Ensure TLV uniqueness

Processing the duplicated TLVs while connecting to a malicious AP may lead
to overflow of the response buffer. This patch ensures that the
duplicated TLVs are not parsed.
This commit is contained in:
Tim Kourt 2020-02-05 15:19:05 -08:00 committed by Denis Kenzior
parent 4f745ff930
commit bdf328320d

View File

@ -357,6 +357,8 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
int response_len = 0; int response_len = 0;
uint16_t tlv_type; uint16_t tlv_type;
uint16_t tlv_value_len; uint16_t tlv_value_len;
bool seen_result_tlv = false;
bool seen_cryptobinding_tlv = false;
while (data_len >= EAP_EXTENSIONS_TLV_HEADER_LEN) { while (data_len >= EAP_EXTENSIONS_TLV_HEADER_LEN) {
int response_tlv_len = 0; int response_tlv_len = 0;
@ -374,12 +376,22 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
switch (tlv_type) { switch (tlv_type) {
case EAP_EXTENSIONS_TLV_TYPE_RESULT: case EAP_EXTENSIONS_TLV_TYPE_RESULT:
if (seen_result_tlv)
return -EBADMSG;
seen_result_tlv = true;
response_tlv_len = eap_extensions_handle_result_tlv(eap, response_tlv_len = eap_extensions_handle_result_tlv(eap,
data, tlv_value_len, response, data, tlv_value_len, response,
result); result);
break; break;
case EAP_EXTENSIONS_TLV_TYPE_CRYPTOBINDING: case EAP_EXTENSIONS_TLV_TYPE_CRYPTOBINDING:
if (seen_cryptobinding_tlv)
return -EBADMSG;
seen_cryptobinding_tlv = true;
response_tlv_len = response_tlv_len =
eap_extensions_handle_cryptobinding_tlv(eap, eap_extensions_handle_cryptobinding_tlv(eap,
data, tlv_value_len, response); data, tlv_value_len, response);