aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorSteve Kondik <steve@cyngn.com>2015-08-21 00:21:57 -0700
committerSteve Kondik <steve@cyngn.com>2015-08-21 00:21:57 -0700
commitda73fae6e0d3b0a86cc1bedee3edfdab54053429 (patch)
tree4ebbb13287ec8719f6ee63a7d3920f8f50029fbc /src
parentb5ab0d9e392c40be0ae01e1b5c4121d6175d7eb3 (diff)
parent9f3f9c1a08a696dc76699ba7f4c6524427ea6cb2 (diff)
downloadandroid_external_wpa_supplicant_8-da73fae6e0d3b0a86cc1bedee3edfdab54053429.tar.gz
android_external_wpa_supplicant_8-da73fae6e0d3b0a86cc1bedee3edfdab54053429.tar.bz2
android_external_wpa_supplicant_8-da73fae6e0d3b0a86cc1bedee3edfdab54053429.zip
Merge branch 'LA.BF64.1.2.1' of git://codeaurora.org/platform/external/wpa_supplicant_8 into cm-12.1
Diffstat (limited to 'src')
-rw-r--r--src/eap_peer/eap_pwd.c1
-rw-r--r--src/wps/httpread.c18
2 files changed, 19 insertions, 0 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index ac0db995..bc4ddc57 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -835,6 +835,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
"fragments!");
return NULL;
}
+ data->in_frag_pos = 0;
pos += sizeof(u16);
len -= sizeof(u16);
}
diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index d2855e32..454519ca 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -177,6 +177,12 @@ static int httpread_hdr_option_analyze(
if (!isdigit(*hbp))
return -1;
h->content_length = atol(hbp);
+ if (h->content_length < 0 || h->content_length > h->max_bytes) {
+ wpa_printf(MSG_DEBUG,
+ "httpread: Unacceptable Content-Length %d",
+ h->content_length);
+ return -1;
+ }
h->got_content_length = 1;
return 0;
}
@@ -509,6 +515,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
if (h->got_content_length &&
new_alloc_nbytes < (h->content_length + 1))
new_alloc_nbytes = h->content_length + 1;
+ if (new_alloc_nbytes < h->body_alloc_nbytes ||
+ new_alloc_nbytes > h->max_bytes) {
+ wpa_printf(MSG_DEBUG,
+ "httpread: Unacceptable body length %d",
+ new_alloc_nbytes);
+ goto bad;
+ }
if ((new_body = os_realloc(h->body, new_alloc_nbytes))
== NULL)
goto bad;
@@ -608,6 +621,11 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
ncopy = nread;
}
/* Note: should never be 0 */
+ if (ncopy < 0) {
+ wpa_printf(MSG_DEBUG,
+ "httpread: Invalid ncopy=%d", ncopy);
+ goto bad;
+ }
if (ncopy > nread)
ncopy = nread;
os_memcpy(bbp, rbp, ncopy);
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-28 12:52:55 +0000