[PATCH] eap-pwd: add length checks for fragmented packets

[PATCH] eap-pwd: add length checks for fragmented packets

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 1146 bytes --]

---
 src/eap-pwd.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/eap-pwd.c b/src/eap-pwd.c
index af373493..cd6684e7 100644
--- a/src/eap-pwd.c
+++ b/src/eap-pwd.c
@@ -669,6 +669,14 @@ static void eap_pwd_handle_request(struct eap_state *eap,
 
 		/* remove length of Total-Length parameter (2) */
 		pwd->rx_frag_total = l_get_be16(pkt + 1) - 2;
+
+		if (pwd->rx_frag_total < len - 2) {
+			l_error("Total-Length too small for remaining length");
+			pwd->rx_frag_total = 0;
+
+			return;
+		}
+
 		pwd->rx_frag_buf = l_malloc(pwd->rx_frag_total);
 
 		/* skip copying Total-Length for easier processing later */
@@ -687,6 +695,12 @@ static void eap_pwd_handle_request(struct eap_state *eap,
 
 	/* more rx fragments */
 	if (pwd->rx_frag_buf) {
+		if (pwd->rx_frag_total - pwd->rx_frag_count <
+						(uint16_t) len - 1) {
+			l_error("Not enough room for fragment (%zu)", len - 1);
+			return;
+
+		}
 		/* continue building packet (not including PWD-Exch byte) */
 		memcpy(pwd->rx_frag_buf + pwd->rx_frag_count, pkt + 1, len - 1);
 		pwd->rx_frag_count += (len - 1);
-- 
2.31.1

Re: [PATCH] eap-pwd: add length checks for fragmented packets

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 183 bytes --]

Hi James,

On 1/19/22 12:13, James Prestwood wrote:
> ---
>   src/eap-pwd.c | 14 ++++++++++++++
>   1 file changed, 14 insertions(+)
> 

Applied, thanks.

Regards,
-Denis