Browse Source

Fix memory allocation failure handling in EAP-TTLS/MSCHAPv2 server

If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Jouni Malinen 12 years ago
parent
commit
a2f94dbe62
1 changed files with 12 additions and 4 deletions
  1. 12 4
      src/eap_server/eap_server_ttls.c

+ 12 - 4
src/eap_server/eap_server_ttls.c

@@ -674,6 +674,13 @@ static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
 		return;
 	}
 
+	if (sm->identity == NULL) {
+		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
+			   "known");
+		eap_ttls_state(data, FAILURE);
+		return;
+	}
+
 	/* MSCHAPv2 does not include optional domain name in the
 	 * challenge-response calculation, so remove domain prefix
 	 * (if present). */
@@ -979,11 +986,12 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
 	if (parse.user_name) {
 		os_free(sm->identity);
 		sm->identity = os_malloc(parse.user_name_len);
-		if (sm->identity) {
-			os_memcpy(sm->identity, parse.user_name,
-				  parse.user_name_len);
-			sm->identity_len = parse.user_name_len;
+		if (sm->identity == NULL) {
+			eap_ttls_state(data, FAILURE);
+			goto done;
 		}
+		os_memcpy(sm->identity, parse.user_name, parse.user_name_len);
+		sm->identity_len = parse.user_name_len;
 		if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
 		    != 0) {
 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "