From 586c446e0ff42ae00315b014924ec669023bd8de Mon Sep 17 00:00:00 2001

From: Jouni Malinen <j@w1.fi>

Date: Sun, 7 Oct 2012 20:06:29 +0300

Subject: [PATCH] EAP-TLS server: Fix TLS Message Length validation

EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS

Message Length value properly and could end up trying to store more

information into the message buffer than the allocated size if the first

fragment is longer than the indicated size. This could result in hostapd

process terminating in wpabuf length validation. Fix this by rejecting

messages that have invalid TLS Message Length value.

This would affect cases that use the internal EAP authentication server

in hostapd either directly with IEEE 802.1X or when using hostapd as a

RADIUS authentication server and when receiving an incorrectly

constructed EAP-TLS message. Cases where hostapd uses an external

authentication are not affected.

Thanks to Timo Warns for finding and reporting this issue.

Signed-hostap: Jouni Malinen <j@w1.fi>

intended-for: hostap-1

---

 src/eap_server/eap_server_tls_common.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c

index 31be2ec..46f282b 100644

--- a/src/eap_server/eap_server_tls_common.c

+++ b/src/eap_server/eap_server_tls_common.c

@@ -228,6 +228,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,

 			return -1;

 		}

+		if (len > message_length) {

+			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "

+				   "first fragment of frame (TLS Message "

+				   "Length %d bytes)",

+				   (int) len, (int) message_length);

+			return -1;

+		}

+

 		data->tls_in = wpabuf_alloc(message_length);

 		if (data->tls_in == NULL) {

 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");

-- 

1.7.11.4