3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-29 13:59:24 +01:00

eap-tls: Set upper limit on request size

Set an upper limit on a fragmented EAP-TLS request size similar to how
we do it in EAP-TTLS.  While there make the code more similar to the
EAP-TTLS flag processing to keep them closer in sync.  Note that the
spec suggests a 64KB limit but it's not clear if that is for the TLS
record or EAP request although it takes into account the whole TLS
negotiation so it might be good for both.
This commit is contained in:
Andrew Zaborowski 2018-11-01 07:03:40 +01:00 committed by Denis Kenzior
parent 0b71b034c1
commit e4222d0ebe

View File

@ -99,6 +99,8 @@ static void eap_tls_free(struct eap_state *eap)
#define EAP_TLS_FLAG_L (1 << 7)
#define EAP_TLS_FLAG_M (1 << 6)
#define EAP_TLS_FLAG_S (1 << 5)
#define EAP_TLS_FLAG_LM_MASK \
(EAP_TLS_FLAG_L | EAP_TLS_FLAG_M)
static uint8_t *eap_tls_tx_buf_reserve(struct eap_tls_state *tls, size_t size)
{
@ -224,6 +226,13 @@ static void eap_tls_handle_request(struct eap_state *eap,
goto err;
}
/* Sanity check that first fragmented request has L flag set */
if ((flags & EAP_TLS_FLAG_LM_MASK) == EAP_TLS_FLAG_M &&
!tls->rx_pkt_buf) {
l_error("EAP-TLS request 1st fragment with no length");
goto err;
}
if (flags & EAP_TLS_FLAG_L) {
if (len < 7) {
l_error("EAP-TLS request with L flag too short");
@ -234,7 +243,19 @@ static void eap_tls_handle_request(struct eap_state *eap,
pkt += 4;
len -= 4;
if (tls->rx_pkt_buf && total_len != tls->rx_pkt_len) {
if ((flags & EAP_TLS_FLAG_M) && !tls->rx_pkt_buf) {
if (total_len > 512 * 1024) {
l_error("EAP-TLS Message too long");
goto err;
}
tls->rx_pkt_buf = l_malloc(total_len);
tls->rx_pkt_len = total_len;
tls->rx_pkt_received = 0;
}
if ((tls->rx_pkt_buf && total_len != tls->rx_pkt_len) ||
(!tls->rx_pkt_buf && total_len != len)) {
l_error("EAP-TLS request length mismatch");
l_free(tls->rx_pkt_buf);
@ -244,18 +265,6 @@ static void eap_tls_handle_request(struct eap_state *eap,
}
}
if (!tls->rx_pkt_buf && (flags & EAP_TLS_FLAG_M)) {
if (!(flags & EAP_TLS_FLAG_L)) {
l_error("EAP-TLS request 1st fragment with no length");
goto err;
}
tls->rx_pkt_buf = l_malloc(total_len);
tls->rx_pkt_len = total_len;
tls->rx_pkt_received = 0;
}
if (tls->rx_pkt_buf) {
if (
((flags & EAP_TLS_FLAG_M) &&