The standard says that the body length must be a multiple of 16B.
Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
---
src/pae/ieee802_1x_kay.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 4c050eb9866a..3e349ad84169 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -999,6 +999,12 @@ static int ieee802_1x_mka_decode_live_peer_body(
hdr = (const struct ieee802_1x_mka_hdr *) peer_msg;
body_len = get_mka_param_body_len(hdr);
+ if (body_len % 16 != 0) {
+ wpa_printf(MSG_ERROR,
+ "KaY: MKA Peer Packet Body Length (%zu bytes) should be a multiple of 16 octets",
+ body_len);
+ return -1;
+ }
for (i = 0; i < body_len; i += MI_LEN + sizeof(peer_mn)) {
peer_mi = MKA_HDR_LEN + peer_msg + i;
@@ -1053,6 +1059,12 @@ ieee802_1x_mka_decode_potential_peer_body(
hdr = (struct ieee802_1x_mka_hdr *) peer_msg;
body_len = get_mka_param_body_len(hdr);
+ if (body_len % 16 != 0) {
+ wpa_printf(MSG_ERROR,
+ "KaY: MKA Peer Packet Body Length (%zu bytes) should be a multiple of 16 octets",
+ body_len);
+ return -1;
+ }
for (i = 0; i < body_len; i += MI_LEN + sizeof(peer_mn)) {
peer_mi = MKA_HDR_LEN + peer_msg + i;
--
2.9.0
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
