The password for EAP-GTC is directly used in an EAP response. The
response buffer is created on the stack so an overly large password
could cause a stack overflow.
---
src/eap-gtc.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/eap-gtc.c b/src/eap-gtc.c
index 7788d44c..19447b0f 100644
--- a/src/eap-gtc.c
+++ b/src/eap-gtc.c
@@ -31,6 +31,7 @@
#include "src/missing.h"
#include "src/eap.h"
#include "src/eap-private.h"
+#include "src/iwd.h"
struct eap_gtc_state {
char *password;
@@ -148,6 +149,14 @@ static bool eap_gtc_load_settings(struct eap_state *eap,
return false;
}
+ /*
+ * Limit length to prevent a stack overflow
+ */
+ if (strlen(password) > IWD_MAX_PASSWORD_LEN) {
+ l_free(password);
+ return false;
+ }
+
gtc = l_new(struct eap_gtc_state, 1);
gtc->password = password;
--
2.17.1