From efecce772f9a010ea70c6332de6e34bbbf5121bf Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Mon, 16 Jul 2018 10:51:13 -0500 Subject: [PATCH] eapol: Fix memory allocation issues When the EAPOL-Key data field is encrypted using AES Wrap, check that the data field is large enough before calculating the expected plaintext length. Previously, if the encrypted data field was smaller than 8 bytes, an integer underflow would occur when calculating the expected plaintext data length. This would cause iwd to try to allocate a huge amount of memory, which causes it to abort and terminate. If the data field was equal to 8 bytes, iwd would try to allocate 0 bytes of memory, making l_new return NULL, which subsequently causes iwd to crash on a NULL pointer deference. Reported-by: Mathy Vanhoef --- src/eapol.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/eapol.c b/src/eapol.c index 72b58ba1..7ef45c9f 100644 --- a/src/eapol.c +++ b/src/eapol.c @@ -144,6 +144,9 @@ uint8_t *eapol_decrypt_key_data(const uint8_t *kek, break; case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES: case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES: + if (key_data_len < 24 || key_data_len % 8) + return NULL; + expected_len = key_data_len - 8; break; default: @@ -171,9 +174,6 @@ uint8_t *eapol_decrypt_key_data(const uint8_t *kek, } case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES: case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES: - if (key_data_len < 24 || key_data_len % 8) - goto error; - if (!aes_unwrap(kek, key_data, key_data_len, buf)) goto error;