diff options
author | Tim Kourt <tim.a.kourt@linux.intel.com> | 2020-02-05 15:19:05 -0800 |
---|---|---|
committer | Denis Kenzior <denkenz@gmail.com> | 2020-02-06 10:28:39 -0600 |
commit | bdf328320d895191b4ba8e9779f8ad553fbcbb12 (patch) | |
tree | 2f0b10e7900fa33db7e3a15e5c790debe1e56f53 | |
parent | 4f745ff930248313eaf21a81ed9a753d2c8473bc (diff) | |
download | iwd-bdf328320d895191b4ba8e9779f8ad553fbcbb12.tar.gz |
peap: Ensure TLV uniqueness
Processing the duplicated TLVs while connecting to a malicious AP may lead
to overflow of the response buffer. This patch ensures that the
duplicated TLVs are not parsed.
-rw-r--r-- | src/eap-peap.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/eap-peap.c b/src/eap-peap.c index 6decbfb35..a8a58a927 100644 --- a/src/eap-peap.c +++ b/src/eap-peap.c @@ -357,6 +357,8 @@ static int eap_extensions_process_tlvs(struct eap_state *eap, int response_len = 0; uint16_t tlv_type; uint16_t tlv_value_len; + bool seen_result_tlv = false; + bool seen_cryptobinding_tlv = false; while (data_len >= EAP_EXTENSIONS_TLV_HEADER_LEN) { int response_tlv_len = 0; @@ -374,12 +376,22 @@ static int eap_extensions_process_tlvs(struct eap_state *eap, switch (tlv_type) { case EAP_EXTENSIONS_TLV_TYPE_RESULT: + if (seen_result_tlv) + return -EBADMSG; + + seen_result_tlv = true; + response_tlv_len = eap_extensions_handle_result_tlv(eap, data, tlv_value_len, response, result); break; case EAP_EXTENSIONS_TLV_TYPE_CRYPTOBINDING: + if (seen_cryptobinding_tlv) + return -EBADMSG; + + seen_cryptobinding_tlv = true; + response_tlv_len = eap_extensions_handle_cryptobinding_tlv(eap, data, tlv_value_len, response); |