[src/trunk]: src/external/bsd/wpa/dist/src The remaining number of bytes in t...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/1ad8a63a8fda
branches:  trunk
changeset: 338079:1ad8a63a8fda
user:      christos <christos%NetBSD.org@localhost>
date:      Sat May 09 19:49:28 2015 +0000

description:
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

XXX: pullup-7

diffstat:

 external/bsd/wpa/dist/src/eap_peer/eap_pwd.c          |  12 ++++++++++++
 external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c |  10 ++++++++++
 2 files changed, 22 insertions(+), 0 deletions(-)

diffs (52 lines):

diff -r 217193cc6fd3 -r 1ad8a63a8fda external/bsd/wpa/dist/src/eap_peer/eap_pwd.c
--- a/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c      Sat May 09 19:46:01 2015 +0000
+++ b/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c      Sat May 09 19:49:28 2015 +0000
@@ -800,11 +800,23 @@
         * if it's the first fragment there'll be a length field
         */
        if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+               if (len < 2) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-pwd: Frame too short to contain Total-Length field");
+                       ret->ignore = TRUE;
+                       return NULL;
+               }
                tot_len = WPA_GET_BE16(pos);
                wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
                           "total length = %d", tot_len);
                if (tot_len > 15000)
                        return NULL;
+               if (data->inbuf) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+                       ret->ignore = TRUE;
+                       return NULL;
+               }
                data->inbuf = wpabuf_alloc(tot_len);
                if (data->inbuf == NULL) {
                        wpa_printf(MSG_INFO, "Out of memory to buffer "
diff -r 217193cc6fd3 -r 1ad8a63a8fda external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c
--- a/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c     Sat May 09 19:46:01 2015 +0000
+++ b/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c     Sat May 09 19:49:28 2015 +0000
@@ -913,11 +913,21 @@
         * the first fragment has a total length
         */
        if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+               if (len < 2) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-pwd: Frame too short to contain Total-Length field");
+                       return;
+               }
                tot_len = WPA_GET_BE16(pos);
                wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
                           "length = %d", tot_len);
                if (tot_len > 15000)
                        return;
+               if (data->inbuf) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+                       return;
+               }
                data->inbuf = wpabuf_alloc(tot_len);
                if (data->inbuf == NULL) {
                        wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "