diff options
author | Stefan Sperling <stsp@cvs.openbsd.org> | 2017-07-22 16:48:22 +0000 |
---|---|---|
committer | Stefan Sperling <stsp@cvs.openbsd.org> | 2017-07-22 16:48:22 +0000 |
commit | 8b950b1e47f1b58ab5eb9a540b612f48ee2750af (patch) | |
tree | 3326b310f7f7827a5df7504834b90b035ae12b0f /sys/net80211/ieee80211_pae_input.c | |
parent | 595ea01890bed554f6f33da88e4078dc8963437e (diff) |
Fix length checks in EAPOL key frame parsing.
Problem reported by Ilja Van Sprundel.
ok tb@ kevlo@
Diffstat (limited to 'sys/net80211/ieee80211_pae_input.c')
-rw-r--r-- | sys/net80211/ieee80211_pae_input.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/sys/net80211/ieee80211_pae_input.c b/sys/net80211/ieee80211_pae_input.c index 6d716bb8ed9..2ac0bc4acff 100644 --- a/sys/net80211/ieee80211_pae_input.c +++ b/sys/net80211/ieee80211_pae_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_pae_input.c,v 1.28 2017/03/01 20:20:45 stsp Exp $ */ +/* $OpenBSD: ieee80211_pae_input.c,v 1.29 2017/07/22 16:48:21 stsp Exp $ */ /*- * Copyright (c) 2007,2008 Damien Bergamini <damien.bergamini@free.fr> @@ -78,7 +78,7 @@ ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, struct ether_header *eh; struct ieee80211_eapol_key *key; u_int16_t info, desc; - int totlen; + int totlen, bodylen, paylen; ifp->if_ibytes += m->m_pkthdr.len; @@ -109,12 +109,14 @@ ieee80211_eapol_key_input(struct ieee80211com *ic, struct mbuf *m, goto done; /* check packet body length */ - if (m->m_pkthdr.len < 4 + BE_READ_2(key->len)) + bodylen = BE_READ_2(key->len); + totlen = 4 + bodylen; + if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) goto done; /* check key data length */ - totlen = sizeof(*key) + BE_READ_2(key->paylen); - if (m->m_pkthdr.len < totlen || totlen > MCLBYTES) + paylen = BE_READ_2(key->paylen); + if (paylen > totlen - sizeof(*key)) goto done; info = BE_READ_2(key->info); |