aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch')
-rw-r--r--package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch50
1 files changed, 0 insertions, 50 deletions
diff --git a/package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
deleted file mode 100644
index 7edef099eb..0000000000
--- a/package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:26:06 +0300
-Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
- reassembly
-
-The remaining number of bytes in the message could be smaller than the
-Total-Length field size, so the length needs to be explicitly checked
-prior to reading the field and decrementing the len variable. This could
-have resulted in the remaining length becoming negative and interpreted
-as a huge positive integer.
-
-In addition, check that there is no already started fragment in progress
-before allocating a new buffer for reassembling fragments. This avoid a
-potential memory leak when processing invalid message.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index 3189105..2bfc3c2 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- * the first fragment has a total length
- */
- if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
-+ if (len < 2) {
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-pwd: Frame too short to contain Total-Length field");
-+ return;
-+ }
- tot_len = WPA_GET_BE16(pos);
- wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
- "length = %d", tot_len);
- if (tot_len > 15000)
- return;
-+ if (data->inbuf) {
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
-+ return;
-+ }
- data->inbuf = wpabuf_alloc(tot_len);
- if (data->inbuf == NULL) {
- wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
---
-1.9.1
-