[PATCH] Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not conform to the standard for "Long Extended Type" as defined in RFC 6929.

Kellen Gattis k3113n6 at gmail.com
Thu May 22 22:46:42 PDT 2025


This was observed when using wpa_psk_radius=3 in conjunction with
wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for
245.26.11344.2 that was 256 octets in size.  The expected outcome was
two fragments containing data sizes of 251 and 5 octets, but hostapd
instead created a fragment of 256 octets (exceeded the size limit)
followed by a fragment of 5 octets.

This patch will make it so the fragments preceding the final fragment
will have the correct data size by using alen instead of data_len when
running wpabuf_put_data.

Signed-off-by: Kellen Gattis <k3113n6 at gmail.com>
---
 src/radius/radius.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/radius/radius.c b/src/radius/radius.c
index 029e6223c..40c037dcc 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -807,7 +807,7 @@ struct radius_attr_hdr * radius_msg_add_attr(struct radius_msg *msg, u16 type,
 			ext->length = sizeof(*ext) + 1 + alen;
 			ext->ext_type = ext_type;
 			wpabuf_put_u8(msg->buf, data_len > alen ? 0x80 : 0);
-			wpabuf_put_data(msg->buf, data, data_len);
+			wpabuf_put_data(msg->buf, data, alen);
 			data += alen;
 			data_len -= alen;
 			if (radius_msg_add_attr_to_array(
-- 
2.49.0




More information about the Hostap mailing list