mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-11-29 13:59:24 +01:00
eap-tls: Set upper limit on request size
Set an upper limit on a fragmented EAP-TLS request size similar to how we do it in EAP-TTLS. While there make the code more similar to the EAP-TTLS flag processing to keep them closer in sync. Note that the spec suggests a 64KB limit but it's not clear if that is for the TLS record or EAP request although it takes into account the whole TLS negotiation so it might be good for both.
This commit is contained in:
parent
0b71b034c1
commit
e4222d0ebe
@ -99,6 +99,8 @@ static void eap_tls_free(struct eap_state *eap)
|
||||
#define EAP_TLS_FLAG_L (1 << 7)
|
||||
#define EAP_TLS_FLAG_M (1 << 6)
|
||||
#define EAP_TLS_FLAG_S (1 << 5)
|
||||
#define EAP_TLS_FLAG_LM_MASK \
|
||||
(EAP_TLS_FLAG_L | EAP_TLS_FLAG_M)
|
||||
|
||||
static uint8_t *eap_tls_tx_buf_reserve(struct eap_tls_state *tls, size_t size)
|
||||
{
|
||||
@ -224,6 +226,13 @@ static void eap_tls_handle_request(struct eap_state *eap,
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Sanity check that first fragmented request has L flag set */
|
||||
if ((flags & EAP_TLS_FLAG_LM_MASK) == EAP_TLS_FLAG_M &&
|
||||
!tls->rx_pkt_buf) {
|
||||
l_error("EAP-TLS request 1st fragment with no length");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (flags & EAP_TLS_FLAG_L) {
|
||||
if (len < 7) {
|
||||
l_error("EAP-TLS request with L flag too short");
|
||||
@ -234,7 +243,19 @@ static void eap_tls_handle_request(struct eap_state *eap,
|
||||
pkt += 4;
|
||||
len -= 4;
|
||||
|
||||
if (tls->rx_pkt_buf && total_len != tls->rx_pkt_len) {
|
||||
if ((flags & EAP_TLS_FLAG_M) && !tls->rx_pkt_buf) {
|
||||
if (total_len > 512 * 1024) {
|
||||
l_error("EAP-TLS Message too long");
|
||||
goto err;
|
||||
}
|
||||
|
||||
tls->rx_pkt_buf = l_malloc(total_len);
|
||||
tls->rx_pkt_len = total_len;
|
||||
tls->rx_pkt_received = 0;
|
||||
}
|
||||
|
||||
if ((tls->rx_pkt_buf && total_len != tls->rx_pkt_len) ||
|
||||
(!tls->rx_pkt_buf && total_len != len)) {
|
||||
l_error("EAP-TLS request length mismatch");
|
||||
|
||||
l_free(tls->rx_pkt_buf);
|
||||
@ -244,18 +265,6 @@ static void eap_tls_handle_request(struct eap_state *eap,
|
||||
}
|
||||
}
|
||||
|
||||
if (!tls->rx_pkt_buf && (flags & EAP_TLS_FLAG_M)) {
|
||||
if (!(flags & EAP_TLS_FLAG_L)) {
|
||||
l_error("EAP-TLS request 1st fragment with no length");
|
||||
|
||||
goto err;
|
||||
}
|
||||
|
||||
tls->rx_pkt_buf = l_malloc(total_len);
|
||||
tls->rx_pkt_len = total_len;
|
||||
tls->rx_pkt_received = 0;
|
||||
}
|
||||
|
||||
if (tls->rx_pkt_buf) {
|
||||
if (
|
||||
((flags & EAP_TLS_FLAG_M) &&
|
||||
|
Loading…
Reference in New Issue
Block a user