1 From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Sun, 1 Nov 2015 18:18:17 +0200
4 Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
6 All but the last fragment had their length checked against the remaining
7 room in the reassembly buffer. This allowed a suitably constructed last
8 fragment frame to try to add extra data that would go beyond the buffer.
9 The length validation code in wpabuf_put_data() prevents an actual
10 buffer write overflow from occurring, but this results in process
11 termination. (CVE-2015-5315)
13 Signed-off-by: Jouni Malinen <j@w1.fi>
15 src/eap_peer/eap_pwd.c | 7 +++----
16 1 file changed, 3 insertions(+), 4 deletions(-)
18 diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
19 index 1f78544..75ceef1 100644
20 --- a/src/eap_peer/eap_pwd.c
21 +++ b/src/eap_peer/eap_pwd.c
22 @@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
24 * buffer and ACK the fragment
26 - if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
27 + if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
28 data->in_frag_pos += len;
29 if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
30 wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
31 @@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
34 wpabuf_put_data(data->inbuf, pos, len);
37 + if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
38 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
40 EAP_CODE_RESPONSE, eap_get_id(reqData));
41 @@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
42 * we're buffering and this is the last fragment
44 if (data->in_frag_pos) {
45 - wpabuf_put_data(data->inbuf, pos, len);
46 wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
48 - data->in_frag_pos += len;
49 pos = wpabuf_head_u8(data->inbuf);
50 len = data->in_frag_pos;