EAP TTLS peer_challenge buffer allocation

Kaustav Dey Biswas kaustav_deybiswas
Mon Mar 5 03:41:09 PST 2012


I was going through the EAP TTLS code (MSCHAPv2), and I noticed some potential issues with the eap_ttls_phase2_request_mschapv2() function.

The problem is as follows. The 'challenge' pointer is first malloc'ed to a size of (EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1) by the eap_ttls_implicit_challenge() function. Then, the 'peer_challenge' pointer is set to (challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN), which is just outside the allocated challenge buffer, and is hence un-allocated memory. Right after that, data upto a size of EAP_TTLS_MSCHAPV2_CHALLENGE_LEN is read from the 'peer_challenge' buffer and copied into 'pos'.

I am not able to understand how data is being read from an un-allocated area in memory. That might cause segfaults, and would read in garbage values anyways. Am I missing something?

Any help would be appreciated.

Thanks & Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20120305/5e59ead4/attachment.htm 

More information about the Hostap mailing list