mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 08:48:31 -05:00
EAP-PAX server: Add explicit CID length limit
Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a CID explicitly to 1500 bytes. This will hopefully help in reducing false warnings from static analyzers (CID 72712). Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
6a6566c7af
commit
6473e80ea4
@ -287,7 +287,7 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
|
||||
struct eap_pax_hdr *resp;
|
||||
u8 mac[EAP_PAX_MAC_LEN], icvbuf[EAP_PAX_ICV_LEN];
|
||||
const u8 *pos;
|
||||
size_t len, left;
|
||||
size_t len, left, cid_len;
|
||||
int i;
|
||||
|
||||
if (data->state != PAX_STD_1)
|
||||
@ -320,7 +320,12 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
|
||||
wpa_printf(MSG_INFO, "EAP-PAX: Too short PAX_STD-2 (CID)");
|
||||
return;
|
||||
}
|
||||
data->cid_len = WPA_GET_BE16(pos);
|
||||
cid_len = WPA_GET_BE16(pos);
|
||||
if (cid_len > 1500) {
|
||||
wpa_printf(MSG_INFO, "EAP-PAX: Too long CID");
|
||||
return;
|
||||
}
|
||||
data->cid_len = cid_len;
|
||||
os_free(data->cid);
|
||||
data->cid = os_malloc(data->cid_len);
|
||||
if (data->cid == NULL) {
|
||||
|
Loading…
Reference in New Issue
Block a user