[PATCH] peap: Ensure TLV uniqueness

[PATCH] peap: Ensure TLV uniqueness

[Tim Kourt]

[-- Attachment #1: Type: text/plain, Size: 1336 bytes --]

Processing the duplicated TLVs while connecting to a malicious AP may lead
to overflow of the response buffer. This patch ensures that the
duplicated TLVs are not parsed.
---
 src/eap-peap.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/eap-peap.c b/src/eap-peap.c
index 8c3ba2f3..c17e5b92 100644
--- a/src/eap-peap.c
+++ b/src/eap-peap.c
@@ -353,6 +353,8 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
 	int response_len = 0;
 	uint16_t tlv_type;
 	uint16_t tlv_value_len;
+	bool seen_result_tlv = false;
+	bool seen_cryptobinding_tlv = false;
 
 	while (data_len >= EAP_EXTENSIONS_TLV_HEADER_LEN) {
 		int response_tlv_len = 0;
@@ -370,12 +372,22 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
 
 		switch (tlv_type) {
 		case EAP_EXTENSIONS_TLV_TYPE_RESULT:
+			if (seen_result_tlv)
+				return -EBADMSG;
+
+			seen_result_tlv = true;
+
 			response_tlv_len = eap_extensions_handle_result_tlv(eap,
 						data, tlv_value_len, response,
 						result);
 
 			break;
 		case EAP_EXTENSIONS_TLV_TYPE_CRYPTOBINDING:
+			if (seen_cryptobinding_tlv)
+				return -EBADMSG;
+
+			seen_cryptobinding_tlv = true;
+
 			response_tlv_len =
 				eap_extensions_handle_cryptobinding_tlv(eap,
 						data, tlv_value_len, response);
-- 
2.13.6

Re: [PATCH] peap: Ensure TLV uniqueness

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

Hi Tim,

On 2/5/20 5:19 PM, Tim Kourt wrote:
> Processing the duplicated TLVs while connecting to a malicious AP may lead
> to overflow of the response buffer. This patch ensures that the
> duplicated TLVs are not parsed.
> ---
>   src/eap-peap.c | 12 ++++++++++++
>   1 file changed, 12 insertions(+)
> 

Applied, thanks.

Regards,
-Denis