Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport |
| 2 | |
| 3 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> |
| 4 | |
| 5 | From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001 |
| 6 | From: Jouni Malinen <j@w1.fi> |
| 7 | Date: Fri, 1 May 2015 16:37:45 +0300 |
| 8 | Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit |
| 9 | and Confirm |
| 10 | |
| 11 | The length of the received Commit and Confirm message payloads was not |
| 12 | checked before reading them. This could result in a buffer read |
| 13 | overflow when processing an invalid message. |
| 14 | |
| 15 | Fix this by verifying that the payload is of expected length before |
| 16 | processing it. In addition, enforce correct state transition sequence to |
| 17 | make sure there is no unexpected behavior if receiving a Commit/Confirm |
| 18 | message before the previous exchanges have been completed. |
| 19 | |
| 20 | Thanks to Kostya Kortchinsky of Google security team for discovering and |
| 21 | reporting this issue. |
| 22 | |
| 23 | Signed-off-by: Jouni Malinen <j@w1.fi> |
| 24 | --- |
| 25 | src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++ |
| 26 | 1 file changed, 29 insertions(+) |
| 27 | |
| 28 | diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c |
| 29 | index f2b0926..a629437 100644 |
| 30 | --- a/src/eap_peer/eap_pwd.c |
| 31 | +++ b/src/eap_peer/eap_pwd.c |
| 32 | @@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, |
| 33 | BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; |
| 34 | u16 offset; |
| 35 | u8 *ptr, *scalar = NULL, *element = NULL; |
| 36 | + size_t prime_len, order_len; |
| 37 | + |
| 38 | + if (data->state != PWD_Commit_Req) { |
| 39 | + ret->ignore = TRUE; |
| 40 | + goto fin; |
| 41 | + } |
| 42 | + |
| 43 | + prime_len = BN_num_bytes(data->grp->prime); |
| 44 | + order_len = BN_num_bytes(data->grp->order); |
| 45 | + |
| 46 | + if (payload_len != 2 * prime_len + order_len) { |
| 47 | + wpa_printf(MSG_INFO, |
| 48 | + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", |
| 49 | + (unsigned int) payload_len, |
| 50 | + (unsigned int) (2 * prime_len + order_len)); |
| 51 | + goto fin; |
| 52 | + } |
| 53 | |
| 54 | if (((data->private_value = BN_new()) == NULL) || |
| 55 | ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || |
| 56 | @@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, |
| 57 | u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; |
| 58 | int offset; |
| 59 | |
| 60 | + if (data->state != PWD_Confirm_Req) { |
| 61 | + ret->ignore = TRUE; |
| 62 | + goto fin; |
| 63 | + } |
| 64 | + |
| 65 | + if (payload_len != SHA256_MAC_LEN) { |
| 66 | + wpa_printf(MSG_INFO, |
| 67 | + "EAP-pwd: Unexpected Confirm payload length %u (expected %u)", |
| 68 | + (unsigned int) payload_len, SHA256_MAC_LEN); |
| 69 | + goto fin; |
| 70 | + } |
| 71 | + |
| 72 | /* |
| 73 | * first build up the ciphersuite which is group | random_function | |
| 74 | * prf |
| 75 | -- |
| 76 | 1.9.1 |
| 77 | |