Below is the patch that takes into account the identity_len field when sprintf the non null terminated identity.
Only prints the length of the identity & doesn't expect a null terminator, when returning via control interface.
See alsohttp://lists.infradead.org/pipermail/hostap/2017-September/037933.html
Signed-off-by: Michael Baird <Michael.Baird at ecs.vuw.ac.nz>
---
src/ap/ieee802_1x.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 793d381..d35773d 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -17,6 +17,7 @@
#include "radius/radius.h"
#include "radius/radius_client.h"
#include "eap_server/eap.h"
+#include "eap_server/eap_i.h"
#include "eap_common/eap_wsc_common.h"
#include "eapol_auth/eapol_auth_sm.h"
#include "eapol_auth/eapol_auth_sm_i.h"
@@ -2633,13 +2634,13 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
"dot1xAuthSessionAuthenticMethod=%d\n"
"dot1xAuthSessionTime=%u\n"
"dot1xAuthSessionTerminateCause=999\n"
- "dot1xAuthSessionUserName=%s\n",
+ "dot1xAuthSessionUserName=%.*s\n",
(unsigned long long) sta->acct_session_id,
(wpa_key_mgmt_wpa_ieee8021x(
wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
1 : 2,
(unsigned int) diff.sec,
- sm->identity);
+ (int) sm->eap->identity_len, sm->eap->identity);
if (os_snprintf_error(buflen - len, ret))
return len;
len += ret;
-- 2.7.4
On 19/09/17 08:19, Michael Baird wrote:
Hi,
In relation to this patch (and still occurred at the previous commit
https://w1.fi/cgit/hostap/commit/?id=3c7863f812d23fefa9987b29308006a29f1d6e9d).
Often the username (dot1XAuthSessionUsername) is <username> plus
random bytes e.g. 'dot1XAuthSessionUsername=hostuser3ifier 115', where
the username is 'hostuser3'.
I was thinking that the issue is with not allocating space for a null
terminator and when used in conjunction with printf-like functions
running past the end of the char*. As specified in
https://tools.ietf.org/html/rfc3748#section-5.1 eap identity does not
send the null terminator,
5.1
"The Identity Response field MUST NOT be null terminated. In all
cases, the length of the Type-Data field is derived from the Length
field of the Request/Response packet."
From what i can tell when it is used it is expected to be null
terminated, as a normal char *, or is this wrong? If it is not
supposed to be null terminated I will amend the above patch to take
the identity_len field into account when used in the printf function.
Thanks,
Michael
On 14/09/17 16:00, Michael Baird wrote:
See also
http://lists.infradead.org/pipermail/hostap/2017-September/037933.html
Signed-off-by: Michael Baird <Michael.Baird@xxxxxxxxxxxxx>
---
src/ap/ieee802_1x.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 6ea1ebe..3517f7d 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -17,6 +17,7 @@
#include "radius/radius.h"
#include "radius/radius_client.h"
#include "eap_server/eap.h"
+#include "eap_server/eap_i.h"
#include "eap_common/eap_wsc_common.h"
#include "eapol_auth/eapol_auth_sm.h"
#include "eapol_auth/eapol_auth_sm_i.h"
@@ -2638,7 +2639,7 @@ int ieee802_1x_get_mib_sta(struct hostapd_data
*hapd, struct sta_info *sta,
wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
1 : 2,
(unsigned int) diff.sec,
- sm->identity);
+ sm->eap->identity);
if (os_snprintf_error(buflen - len, ret))
return len;
len += ret;
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
