Fixed EAP-SIM and EAP-AKA AT_IDENTITY parsing (server only)

The attribute uses 'Actual Identity Length' field to indicate the exact
(pre-padding) length of the Identity. This actual length should be used
as the length, not the remaining attribute length.

This was previously worked around by stripping null termination away
from the end of the identity string at EAP-SIM and EAP-AKA server code.
However, it is likely that that workaround is not really needed and the
real problem was in AT_IDENTITY parsing. Anyway, the workaround is left
in just in case it was really needed with some implementations.

diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c
index e33fe3e..58253f9 100644 (file)
--- a/src/eap_common/eap_sim_common.c
+++ b/src/eap_common/eap_sim_common.c
@@ -554,8 +554,20 @@ int eap_sim_parse_attr(const u8 *start, const u8 *end,
                        break;
                case EAP_SIM_AT_IDENTITY:
                        wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IDENTITY");
-                       attr->identity = apos + 2;
-                       attr->identity_len = alen - 2;
+                       plen = WPA_GET_BE16(apos);
+                       apos += 2;
+                       alen -= 2;
+                       if (plen > alen) {
+                               wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
+                                          "AT_IDENTITY (Actual Length %lu, "
+                                          "remaining length %lu)",
+                                          (unsigned long) plen,
+                                          (unsigned long) alen);
+                               return -1;
+                       }
+
+                       attr->identity = apos;
+                       attr->identity_len = plen;
                        break;
                case EAP_SIM_AT_VERSION_LIST:
                        if (aka) {