diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch')
| -rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch | 54 |
1 files changed, 0 insertions, 54 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch deleted file mode 100644 index a4c02b4745..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch +++ /dev/null @@ -1,54 +0,0 @@ -Upstream-Status: Backport - -Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> - -From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Sat, 2 May 2015 19:26:06 +0300 -Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment - reassembly - -The remaining number of bytes in the message could be smaller than the -Total-Length field size, so the length needs to be explicitly checked -prior to reading the field and decrementing the len variable. This could -have resulted in the remaining length becoming negative and interpreted -as a huge positive integer. - -In addition, check that there is no already started fragment in progress -before allocating a new buffer for reassembling fragments. This avoid a -potential memory leak when processing invalid message. - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - src/eap_server/eap_server_pwd.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index 3189105..2bfc3c2 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * the first fragment has a total length - */ - if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { -+ if (len < 2) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Frame too short to contain Total-Length field"); -+ return; -+ } - tot_len = WPA_GET_BE16(pos); - wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " - "length = %d", tot_len); - if (tot_len > 15000) - return; -+ if (data->inbuf) { -+ wpa_printf(MSG_DEBUG, -+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); -+ return; -+ } - data->inbuf = wpabuf_alloc(tot_len); - if (data->inbuf == NULL) { - wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to " --- -1.9.1 - |