On Fri, Aug 18, 2017 at 01:14:28AM +0200, Michael Braun wrote: > ieee802_1x_kay_decode_mkpdu calls ieee802_1x_mka_i_in_peerlist before > body_len has been checked on all segments. > > ieee802_1x_kay_decode_mkpdu and ieee802_1x_mka_i_in_peerlist might > continue and thus underflow left_len even if it finds left_len to small > (or before checking). > > Additionally, ieee802_1x_mka_dump_peer_body might perform out of bound > reads in this case. > > Fix this by checking left_len and aborting if too small early. Thanks, applied. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
