Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

EAP-FAST server: Fix potential read-after-buffer (by one byte)

The special PAC_OPAQUE_TYPE_PAD case did not skip incrementing of the
pos pointer and could result in one octet read-after-buffer when parsing
the PAC-Opaque data.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 10 years ago
parent
8b65fefeed
commit
e8c08c9a36
1 changed files with 2 additions and 1 deletions
Split View Show Diff Stats
  1. 2 1
      src/eap_server/eap_server_fast.c

+ 2 - 1
src/eap_server/eap_server_fast.c
View File 

@@ -187,7 +187,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
 
 		switch (*pos) {
 
 		case PAC_OPAQUE_TYPE_PAD:
 
 			pos = end;
 
-			break;
 
+			goto done;
 
 		case PAC_OPAQUE_TYPE_KEY:
 
 			if (pos[1] != EAP_FAST_PAC_KEY_LEN) {
 
 				wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid "
 
@@ -218,6 +218,7 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
 
 
 		pos += 2 + pos[1];
 
 	}
 
+done:
 
 
 	if (pac_key == NULL) {
 
 		wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key included in "