peap: Ensure TLV uniqueness

Processing the duplicated TLVs while connecting to a malicious AP may lead to overflow of the response buffer. This patch ensures that the duplicated TLVs are not parsed.
author: Tim Kourt <tim.a.kourt@linux.intel.com> 2020-02-05 15:19:05 -0800
committer: Denis Kenzior <denkenz@gmail.com> 2020-02-06 10:28:39 -0600
commit: bdf328320d895191b4ba8e9779f8ad553fbcbb12 (patch)
tree: 2f0b10e7900fa33db7e3a15e5c790debe1e56f53
parent: 4f745ff930248313eaf21a81ed9a753d2c8473bc (diff)
download: iwd-bdf328320d895191b4ba8e9779f8ad553fbcbb12.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/src/eap-peap.c b/src/eap-peap.c
index 6decbfb35..a8a58a927 100644
--- a/src/eap-peap.c
+++ b/src/eap-peap.c
@@ -357,6 +357,8 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
 	int response_len = 0;
 	uint16_t tlv_type;
 	uint16_t tlv_value_len;
+	bool seen_result_tlv = false;
+	bool seen_cryptobinding_tlv = false;
 
 	while (data_len >= EAP_EXTENSIONS_TLV_HEADER_LEN) {
 		int response_tlv_len = 0;
@@ -374,12 +376,22 @@ static int eap_extensions_process_tlvs(struct eap_state *eap,
 
 		switch (tlv_type) {
 		case EAP_EXTENSIONS_TLV_TYPE_RESULT:
+			if (seen_result_tlv)
+				return -EBADMSG;
+
+			seen_result_tlv = true;
+
 			response_tlv_len = eap_extensions_handle_result_tlv(eap,
 						data, tlv_value_len, response,
 						result);
 
 			break;
 		case EAP_EXTENSIONS_TLV_TYPE_CRYPTOBINDING:
+			if (seen_cryptobinding_tlv)
+				return -EBADMSG;
+
+			seen_cryptobinding_tlv = true;
+
 			response_tlv_len =
 				eap_extensions_handle_cryptobinding_tlv(eap,
 						data, tlv_value_len, response);
author	Tim Kourt <tim.a.kourt@linux.intel.com>	2020-02-05 15:19:05 -0800
committer	Denis Kenzior <denkenz@gmail.com>	2020-02-06 10:28:39 -0600
commit	bdf328320d895191b4ba8e9779f8ad553fbcbb12 (patch)
tree	2f0b10e7900fa33db7e3a15e5c790debe1e56f53
parent	4f745ff930248313eaf21a81ed9a753d2c8473bc (diff)
download	iwd-bdf328320d895191b4ba8e9779f8ad553fbcbb12.tar.gz