diff options
author | Steve Kondik <steve@cyngn.com> | 2015-08-21 00:21:57 -0700 |
---|---|---|
committer | Steve Kondik <steve@cyngn.com> | 2015-08-21 00:21:57 -0700 |
commit | da73fae6e0d3b0a86cc1bedee3edfdab54053429 (patch) | |
tree | 4ebbb13287ec8719f6ee63a7d3920f8f50029fbc /src | |
parent | b5ab0d9e392c40be0ae01e1b5c4121d6175d7eb3 (diff) | |
parent | 9f3f9c1a08a696dc76699ba7f4c6524427ea6cb2 (diff) | |
download | android_external_wpa_supplicant_8-da73fae6e0d3b0a86cc1bedee3edfdab54053429.tar.gz android_external_wpa_supplicant_8-da73fae6e0d3b0a86cc1bedee3edfdab54053429.tar.bz2 android_external_wpa_supplicant_8-da73fae6e0d3b0a86cc1bedee3edfdab54053429.zip |
Merge branch 'LA.BF64.1.2.1' of git://codeaurora.org/platform/external/wpa_supplicant_8 into cm-12.1
Diffstat (limited to 'src')
-rw-r--r-- | src/eap_peer/eap_pwd.c | 1 | ||||
-rw-r--r-- | src/wps/httpread.c | 18 |
2 files changed, 19 insertions, 0 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index ac0db995..bc4ddc57 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -835,6 +835,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, "fragments!"); return NULL; } + data->in_frag_pos = 0; pos += sizeof(u16); len -= sizeof(u16); } diff --git a/src/wps/httpread.c b/src/wps/httpread.c index d2855e32..454519ca 100644 --- a/src/wps/httpread.c +++ b/src/wps/httpread.c @@ -177,6 +177,12 @@ static int httpread_hdr_option_analyze( if (!isdigit(*hbp)) return -1; h->content_length = atol(hbp); + if (h->content_length < 0 || h->content_length > h->max_bytes) { + wpa_printf(MSG_DEBUG, + "httpread: Unacceptable Content-Length %d", + h->content_length); + return -1; + } h->got_content_length = 1; return 0; } @@ -509,6 +515,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) if (h->got_content_length && new_alloc_nbytes < (h->content_length + 1)) new_alloc_nbytes = h->content_length + 1; + if (new_alloc_nbytes < h->body_alloc_nbytes || + new_alloc_nbytes > h->max_bytes) { + wpa_printf(MSG_DEBUG, + "httpread: Unacceptable body length %d", + new_alloc_nbytes); + goto bad; + } if ((new_body = os_realloc(h->body, new_alloc_nbytes)) == NULL) goto bad; @@ -608,6 +621,11 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx) ncopy = nread; } /* Note: should never be 0 */ + if (ncopy < 0) { + wpa_printf(MSG_DEBUG, + "httpread: Invalid ncopy=%d", ncopy); + goto bad; + } if (ncopy > nread) ncopy = nread; os_memcpy(bbp, rbp, ncopy); |