10:34 a.m.
---
src/iwd.h | 9 +++++++++
1 file changed, 9 insertions(+)
v2:
- Renamed to IWD_MAX_PASSWORD_LEN
diff --git a/src/iwd.h b/src/iwd.h
index 22223526..426af743 100644
--- a/src/iwd.h
+++ b/src/iwd.h
@@ -22,6 +22,15 @@
#define uninitialized_var(x) x = x
+/*
+ * Set a maximum to prevent sending too much data to the kernel when hashing
+ * the passphrase (or any other crypto operations involving the passphrase).
+ * This will also prevent potential stack overflows if the passphrase is put
+ * into EAP packets on the stack (EAP-GTC). This value is not tied to IEEE or
+ * any RFC's, just chosen to be long enough to not restrict a normal user.
+ */
+#define IWD_MAX_PASSWORD_LEN 2048
+
struct l_genl;
struct l_genl_family;
--
2.17.1
10:34 a.m.
New subject: [PATCH v2 2/3] agent: enforce a maximum passphrase length
---
src/agent.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/agent.c b/src/agent.c
index d213f3cd..c221cbd8 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -159,6 +159,9 @@ static void passphrase_reply(struct l_dbus_message *reply,
if (!l_dbus_message_get_arguments(reply, "s", &passphrase))
goto done;
+ if (strlen(passphrase) > IWD_MAX_PASSWORD_LEN)
+ goto done;
+
result = AGENT_RESULT_OK;
done:
@@ -181,6 +184,9 @@ static void user_name_passwd_reply(struct l_dbus_message *reply,
if (!l_dbus_message_get_arguments(reply, "ss", &username, &passwd))
goto done;
+ if (strlen(passwd) > IWD_MAX_PASSWORD_LEN)
+ goto done;
+
result = AGENT_RESULT_OK;
done:
--
2.17.1
10:34 a.m.
New subject: [PATCH v2 3/3] eap-gtc: limit password length to maximum
The password for EAP-GTC is directly used in an EAP response. The
response buffer is created on the stack so an overly large password
could cause a stack overflow.
---
src/eap-gtc.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/eap-gtc.c b/src/eap-gtc.c
index 7788d44c..19447b0f 100644
--- a/src/eap-gtc.c
+++ b/src/eap-gtc.c
@@ -31,6 +31,7 @@
#include "src/missing.h"
#include "src/eap.h"
#include "src/eap-private.h"
+#include "src/iwd.h"
struct eap_gtc_state {
char *password;
@@ -148,6 +149,14 @@ static bool eap_gtc_load_settings(struct eap_state *eap,
return false;
}
+ /*
+ * Limit length to prevent a stack overflow
+ */
+ if (strlen(password) > IWD_MAX_PASSWORD_LEN) {
+ l_free(password);
+ return false;
+ }
+
gtc = l_new(struct eap_gtc_state, 1);
gtc->password = password;
--
2.17.1
810
days inactive
810
days old
2 comments
1 participants
participants (1)
-
James Prestwood