eap-ttls: Limit maximum length of tunneled EAP packet to EAP-TTLS packet

diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 66c9dee..e0b59a6 100644 (file)
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -112,6 +112,13 @@ METHOD(tls_application_t, process, status_t,
                                eap_data = avp_data;
                                break;
                        }
+                       else if (eap_len > reader->remaining(reader) + avp_data.len)
+                       {
+                               /* rough size check, ignoring AVP headers in remaining data */
+                               DBG1(DBG_IKE, "EAP packet too large for EAP-TTLS AVP(s)");
+                               chunk_free(&avp_data);
+                               return FAILED;
+                       }
                        else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE)
                        {
                                /* non-standard: EAP packet segmented into multiple AVPs */
@@ -128,7 +135,7 @@ METHOD(tls_application_t, process, status_t,
 
                if (avp_data.len > eap_data.len - eap_pos)
                {
-                       DBG1(DBG_IKE, "AVP size to large to fit into EAP packet");
+                       DBG1(DBG_IKE, "AVP size too large to fit into EAP packet");
                        chunk_free(&avp_data);
                        chunk_free(&eap_data);
                        return FAILED;