mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2025-01-09 00:12:36 +01:00
eapol: Fix memory allocation issues
When the EAPOL-Key data field is encrypted using AES Wrap, check that the data field is large enough before calculating the expected plaintext length. Previously, if the encrypted data field was smaller than 8 bytes, an integer underflow would occur when calculating the expected plaintext data length. This would cause iwd to try to allocate a huge amount of memory, which causes it to abort and terminate. If the data field was equal to 8 bytes, iwd would try to allocate 0 bytes of memory, making l_new return NULL, which subsequently causes iwd to crash on a NULL pointer deference. Reported-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
This commit is contained in:
parent
49d011dabe
commit
efecce772f
@ -144,6 +144,9 @@ uint8_t *eapol_decrypt_key_data(const uint8_t *kek,
|
|||||||
break;
|
break;
|
||||||
case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES:
|
case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES:
|
||||||
case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES:
|
case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES:
|
||||||
|
if (key_data_len < 24 || key_data_len % 8)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
expected_len = key_data_len - 8;
|
expected_len = key_data_len - 8;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
@ -171,9 +174,6 @@ uint8_t *eapol_decrypt_key_data(const uint8_t *kek,
|
|||||||
}
|
}
|
||||||
case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES:
|
case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES:
|
||||||
case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES:
|
case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES:
|
||||||
if (key_data_len < 24 || key_data_len % 8)
|
|
||||||
goto error;
|
|
||||||
|
|
||||||
if (!aes_unwrap(kek, key_data, key_data_len, buf))
|
if (!aes_unwrap(kek, key_data, key_data_len, buf))
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user