6:16 a.m.
---
src/iwd.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/iwd.h b/src/iwd.h
index 22223526..8b63aa7d 100644
--- a/src/iwd.h
+++ b/src/iwd.h
@@ -22,6 +22,13 @@
#define uninitialized_var(x) x = x
+/*
+ * Set a maximum to prevent sending too much data to the kernel when hashing
+ * the password (or any other crypto operations involving the password).
+ * This value is not tied to IEEE or any RFC's, just chosen to be long enough
+ */
+#define IWD_MAX_PASSWORD_LEN 2048
+
struct l_genl;
struct l_genl_family;
--
2.17.1
6:16 a.m.
New subject: [PATCH v3 2/3] eap-gtc: limit password length to maximum
The password for EAP-GTC is directly used in an EAP response. The
response buffer is created on the stack so an overly large password
could cause a stack overflow.
---
src/eap-gtc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
-v3:
* Defined maximum locally to not depend on iwd.h
diff --git a/src/eap-gtc.c b/src/eap-gtc.c
index 7788d44c..f895ec61 100644
--- a/src/eap-gtc.c
+++ b/src/eap-gtc.c
@@ -32,6 +32,8 @@
#include "src/eap.h"
#include "src/eap-private.h"
+#define EAP_GTC_MAX_PASSWORD_LEN 2048
+
struct eap_gtc_state {
char *password;
};
@@ -148,6 +150,14 @@ static bool eap_gtc_load_settings(struct eap_state *eap,
return false;
}
+ /*
+ * Limit length to prevent a stack overflow
+ */
+ if (strlen(password) > EAP_GTC_MAX_PASSWORD_LEN) {
+ l_free(password);
+ return false;
+ }
+
gtc = l_new(struct eap_gtc_state, 1);
gtc->password = password;
--
2.17.1
6:16 a.m.
New subject: [PATCH v3 3/3] network: enforce max EAP/pkey password length
---
src/network.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/network.c b/src/network.c
index fe6ba867..c08d7e72 100644
--- a/src/network.c
+++ b/src/network.c
@@ -892,7 +892,15 @@ static void eap_password_callback(enum agent_result result, const
char *value,
struct eap_secret_request *req = user_data;
req->network->agent_request = 0;
- req->secret->value = l_strdup(value);
+
+ if (value) {
+ if (strlen(value) < IWD_MAX_PASSWORD_LEN)
+ req->secret->value = l_strdup(value);
+ else {
+ l_error("EAP password too long");
+ result = AGENT_RESULT_FAILED;
+ }
+ }
req->callback(result, message, req);
}
@@ -910,11 +918,18 @@ static void eap_user_password_callback(enum agent_result result,
size_t len1 = strlen(user) + 1;
size_t len2 = strlen(passwd) + 1;
+ if (len2 > IWD_MAX_PASSWORD_LEN) {
+ l_error("EAP password too long");
+ result = AGENT_RESULT_FAILED;
+ goto done;
+ }
+
req->secret->value = l_malloc(len1 + len2);
memcpy(req->secret->value, user, len1);
memcpy(req->secret->value + len1, passwd, len2);
}
+done:
req->callback(result, message, req);
}
--
2.17.1
926
days inactive
926
days old
3 comments
2 participants
participants (2)
-
Denis Kenzior -
James Prestwood