EAP TTLS peer_challenge buffer allocation
Kaustav Dey Biswas
Mon Mar 5 03:41:09 PST 2012
I was going through the EAP TTLS code (MSCHAPv2), and I noticed some potential issues with the eap_ttls_phase2_request_mschapv2() function.
The problem is as follows. The 'challenge' pointer is first malloc'ed to a size of (EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1) by the eap_ttls_implicit_challenge() function. Then, the 'peer_challenge' pointer is set to (challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN), which is just outside the allocated challenge buffer, and is hence un-allocated memory. Right after that, data upto a size of EAP_TTLS_MSCHAPV2_CHALLENGE_LEN is read from the 'peer_challenge' buffer and copied into 'pos'.
I am not able to understand how data is being read from an un-allocated area in memory. That might cause segfaults, and would read in garbage values anyways. Am I missing something?
Any help would be appreciated.
Thanks & Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Hostap