Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-28 18:28:23 -05:00
Code Issues Projects Releases Wiki Activity

EAP-FAST server: Fix potential read-after-buffer (by one byte)

Browse Source 
The special PAC_OPAQUE_TYPE_PAD case did not skip incrementing of the
pos pointer and could result in one octet read-after-buffer when parsing
the PAC-Opaque data.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-07-26 21:12:49 +03:00
parent 8b65fefeed
commit e8c08c9a36
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/eap_server/eap_server_fast.c
View File

@ -187,7 +187,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
switch (*pos) {
case PAC_OPAQUE_TYPE_PAD:
pos = end;
break;
goto done;
case PAC_OPAQUE_TYPE_KEY:
if (pos[1] != EAP_FAST_PAC_KEY_LEN) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
@ -218,6 +218,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
pos += 2 + pos[1];
}
done:
if (pac_key == NULL) {
wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in "