10:19 a.m.
Processing the duplicated TLVs while connecting to a malicious AP may lead
to overflow of the response buffer. This patch ensures that the
duplicated TLVs are not parsed.
---
src/eap-peap.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/eap-peap.c b/src/eap-peap.c
index 8c3ba2f3..c17e5b92 100644
--- a/src/eap-peap.c
+++ b/src/eap-peap.c
@@ -353,6 +353,8 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
int response_len = 0;
uint16_t tlv_type;
uint16_t tlv_value_len;
+ bool seen_result_tlv = false;
+ bool seen_cryptobinding_tlv = false;
while (data_len >= EAP_EXTENSIONS_TLV_HEADER_LEN) {
int response_tlv_len = 0;
@@ -370,12 +372,22 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
switch (tlv_type) {
case EAP_EXTENSIONS_TLV_TYPE_RESULT:
+ if (seen_result_tlv)
+ return -EBADMSG;
+
+ seen_result_tlv = true;
+
response_tlv_len = eap_extensions_handle_result_tlv(eap,
data, tlv_value_len, response,
result);
break;
case EAP_EXTENSIONS_TLV_TYPE_CRYPTOBINDING:
+ if (seen_cryptobinding_tlv)
+ return -EBADMSG;
+
+ seen_cryptobinding_tlv = true;
+
response_tlv_len =
eap_extensions_handle_cryptobinding_tlv(eap,
data, tlv_value_len, response);
--
2.13.6
3:28 a.m.
Hi Tim,
On 2/5/20 5:19 PM, Tim Kourt wrote:
Processing the duplicated TLVs while connecting to a malicious AP may
lead
to overflow of the response buffer. This patch ensures that the
duplicated TLVs are not parsed.
---
src/eap-peap.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
Applied, thanks.
Regards,
-Denis
955
days inactive
956
days old
1 comments
2 participants
participants (2)
-
Denis Kenzior -
Tim Kourt