diff --git a/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c b/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c index 059bbeecb72d..9d6bc62495cf 100644 --- a/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c +++ b/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c @@ -301,6 +301,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; u16 offset; u8 *ptr, *scalar = NULL, *element = NULL; + size_t prime_len, order_len; + + if (data->state != PWD_Commit_Req) { + ret->ignore = TRUE; + goto fin; + } + + prime_len = BN_num_bytes(data->grp->prime); + order_len = BN_num_bytes(data->grp->order); + + if (payload_len != 2 * prime_len + order_len) { + wpa_printf(MSG_INFO, + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", + (unsigned int) payload_len, + (unsigned int) (2 * prime_len + order_len)); + goto fin; + } if (((data->private_value = BN_new()) == NULL) || ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || diff --git a/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c b/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c index 943af0d15078..f71ba4a068da 100644 --- a/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c +++ b/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c @@ -634,9 +634,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; EC_POINT *K = NULL, *point = NULL; int res = 0; + size_t prime_len, order_len; wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); + prime_len = BN_num_bytes(data->grp->prime); + order_len = BN_num_bytes(data->grp->order); + + if (payload_len != 2 * prime_len + order_len) { + wpa_printf(MSG_INFO, + "EAP-pwd: Unexpected Commit payload length %u (expected %u)", + (unsigned int) payload_len, + (unsigned int) (2 * prime_len + order_len)); + goto fin; + } + if (((data->peer_scalar = BN_new()) == NULL) || ((data->k = BN_new()) == NULL) || ((cofactor = BN_new()) == NULL) ||