EAP TTLS peer_challenge buffer allocation

Jouni Malinen j
Mon Mar 5 07:07:10 PST 2012

On Mon, Mar 05, 2012 at 05:11:09PM +0530, Kaustav Dey Biswas wrote:
> I was going through the EAP TTLS code (MSCHAPv2), and I noticed some potential issues with the eap_ttls_phase2_request_mschapv2() function.

Thanks for bringing this up!

> The problem is as follows. The 'challenge' pointer is first malloc'ed to a size of (EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1) by the eap_ttls_implicit_challenge() function. Then, the 'peer_challenge' pointer is set to (challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN), which is just outside the allocated challenge buffer, and is hence un-allocated memory. Right after that, data upto a size of EAP_TTLS_MSCHAPV2_CHALLENGE_LEN is read from the 'peer_challenge' buffer and copied into 'pos'.
> I am not able to understand how data is being read from an un-allocated area in memory. That might cause segfaults, and would read in garbage values anyways. Am I missing something?

This function used to derive both the implicit server challenge and peer
challenge from the single call of eap_ttls_implicit_challenge(). That
was cleaned up to use the correct length for the implicit challenge
(16+1 octets). However, the peer_challenge part was missed at that point
and interestingly, no one has reported this causing issues over the four
years after that the implementation has been broken..

This is now fixed here:

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list