diff --git a/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c b/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c index 9d6bc62495cf..941d9d22adb6 100644 --- a/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c +++ b/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c @@ -800,11 +800,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, * if it's the first fragment there'll be a length field */ if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { + if (len < 2) { + wpa_printf(MSG_DEBUG, + "EAP-pwd: Frame too short to contain Total-Length field"); + ret->ignore = TRUE; + return NULL; + } tot_len = WPA_GET_BE16(pos); wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose " "total length = %d", tot_len); if (tot_len > 15000) return NULL; + if (data->inbuf) { + wpa_printf(MSG_DEBUG, + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); + ret->ignore = TRUE; + return NULL; + } data->inbuf = wpabuf_alloc(tot_len); if (data->inbuf == NULL) { wpa_printf(MSG_INFO, "Out of memory to buffer " diff --git a/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c b/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c index f71ba4a068da..2d350e5b175b 100644 --- a/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c +++ b/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c @@ -913,11 +913,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, * the first fragment has a total length */ if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) { + if (len < 2) { + wpa_printf(MSG_DEBUG, + "EAP-pwd: Frame too short to contain Total-Length field"); + return; + } tot_len = WPA_GET_BE16(pos); wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total " "length = %d", tot_len); if (tot_len > 15000) return; + if (data->inbuf) { + wpa_printf(MSG_DEBUG, + "EAP-pwd: Unexpected new fragment start when previous fragment is still in use"); + return; + } data->inbuf = wpabuf_alloc(tot_len); if (data->inbuf == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "