From d40a8d1a6d942e1b14dc7d30267a467644ae4ff9 Mon Sep 17 00:00:00 2001
From: James Prestwood <prestwoj@gmail.com>
Date: Fri, 6 Mar 2020 11:16:27 -0800
Subject: [PATCH] eap-gtc: limit password length to maximum

The password for EAP-GTC is directly used in an EAP response. The
response buffer is created on the stack so an overly large password
could cause a stack overflow.
---
 src/eap-gtc.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/eap-gtc.c b/src/eap-gtc.c
index 7788d44c..f895ec61 100644
--- a/src/eap-gtc.c
+++ b/src/eap-gtc.c
@@ -32,6 +32,8 @@
 #include "src/eap.h"
 #include "src/eap-private.h"
 
+#define EAP_GTC_MAX_PASSWORD_LEN	2048
+
 struct eap_gtc_state {
 	char *password;
 };
@@ -148,6 +150,14 @@ static bool eap_gtc_load_settings(struct eap_state *eap,
 			return false;
 	}
 
+	/*
+	 * Limit length to prevent a stack overflow
+	 */
+	if (strlen(password) > EAP_GTC_MAX_PASSWORD_LEN) {
+		l_free(password);
+		return false;
+	}
+
 	gtc = l_new(struct eap_gtc_state, 1);
 	gtc->password = password;