diff options
| author | Dmitry Shmidt <dimitrysh@google.com> | 2014-06-13 11:05:14 -0700 |
|---|---|---|
| committer | Dmitry Shmidt <dimitrysh@google.com> | 2014-06-13 11:05:14 -0700 |
| commit | 623d63a3a443027e50efdaaec027befcc3882527 (patch) | |
| tree | 1055a29422bfeb5a4fcb94a5127ae2b58d79807d /src/eap_server | |
| parent | 09f57babfc1e4473db20ced4f58a4c9f082c8ed8 (diff) | |
| download | android_external_wpa_supplicant_8-623d63a3a443027e50efdaaec027befcc3882527.tar.gz android_external_wpa_supplicant_8-623d63a3a443027e50efdaaec027befcc3882527.tar.bz2 android_external_wpa_supplicant_8-623d63a3a443027e50efdaaec027befcc3882527.zip | |
Cumulative patch from commit 6590b6400f73762fc6a53ad6ca05a73246cc5e54
6590b64 EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
49d13df P2P: Fix wfd_dev_info parsing for P2P-DEVICE-FOUND (CID 68127)
1851e17 dbus: Clean up P2P group vendor ext getter
137ff33 HS 2.0R2: Fix OSEN IE parsing for in cipher setup (CID 68132)
2703fb4 WNM: Use cleaner way of generating pointer to a field (CID 68100)
da995b2 WNM: Use cleaner way of generating pointer to a field (CID 68099)
062833c GAS server: Fix request frame length validation (CID 68098)
5ce3ae4 HT: Use cleaner way of generating pointer to a field (CID 68097)
fb5d417 P2P: Use cleaner way of generating pointer to a field (CID 68096)
35c0318 P2P: Use cleaner way of generating pointer to a field (CID 68095)
e987c70 dbus: Add explicit break statements to switch-default
6446420 dbus: Initialize temporary entry properly (CID 62877)
70d9537 Use clearer way of getting pointer to a frame (CID 62835)
c02f35f WPS: Clean up indentation level (CID 68109)
0e87e79 Fix HS20_GET_NAI_HOME_REALM_LIST hex length check (CID 68108)
beb9e11 dbus: Avoid theoretical memory leaks with duplicated dict entries
ceb4cd8 dbus: Fix a potential double-free in on error path (CID 62880)
68e2b88 TNC: Fix minor memory leak (CID 62848)
5519241 GAS: Limit TX wait time based on driver maximum value
a0ab408 P2P: Fix SD and DevDisc to limit maximum wait time per driver support
Change-Id: If9bdd7b9961c775e39ce1a8fb58220052434b395
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Diffstat (limited to 'src/eap_server')
| -rw-r--r-- | src/eap_server/eap_server_tnc.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/eap_server/eap_server_tnc.c b/src/eap_server/eap_server_tnc.c index 67a3dfa3..21bd26f8 100644 --- a/src/eap_server/eap_server_tnc.c +++ b/src/eap_server/eap_server_tnc.c @@ -480,7 +480,8 @@ static void eap_tnc_process(struct eap_sm *sm, void *priv, message_length = WPA_GET_BE32(pos); pos += 4; - if (message_length < (u32) (end - pos)) { + if (message_length < (u32) (end - pos) || + message_length > 75000) { wpa_printf(MSG_DEBUG, "EAP-TNC: Invalid Message " "Length (%d; %ld remaining in this msg)", message_length, (long) (end - pos)); |