Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 08:48:31 -05:00
Code Issues Projects Releases Wiki Activity

Fix validation of EAPOL-Key length with AES key wrap (CID 62859)

Browse Source 
The additional eight octet field was removed from keydatalen without
proper validation of the Key Data Length field. It would have been
possible for an invalid EAPOL-Key frame to be processed in a way that
ends up reading beyond the buffer. In theory, this could have also
resulted in writing beyond the EAPOL-Key frame buffer, but that is
unlikely to be feasible due to the AES key wrap validation step on
arbitrary memory contents.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-06-14 00:20:04 +03:00
parent 6590b6400f
commit b7c61c9d4e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/rsn_supp/wpa.c
View File

@ -1501,7 +1501,7 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
sm->key_mgmt == WPA_KEY_MGMT_OSEN) {
u8 *buf;
if (keydatalen % 8) {
if (keydatalen < 8 || keydatalen % 8) {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Unsupported AES-WRAP len %d",
keydatalen);