From b99967f5b1f59d6c2e6d6d9771cb5f2bf31b5173 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 13 Oct 2010 22:59:59 +0200
Subject: [PATCH] Check data_len for internal TLVs

---
 src/modules/rlm_eap/types/rlm_eap_peap/peap.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
index 15e89dd..b77d647 100644
--- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -383,10 +383,13 @@ static int vp2eap(REQUEST *request, tls_session_t *tls_session, VALUE_PAIR *vp)
 /*
  *	See if there's a TLV in the response.
  */
-static int eappeap_check_tlv(REQUEST *request, const uint8_t *data)
+static int eappeap_check_tlv(REQUEST *request, const uint8_t *data,
+			     size_t data_len)
 {
 	const eap_packet_t *eap_packet = (const eap_packet_t *) data;
 
+	if (data_len < 11) return 0;
+
 	/*
 	 *	Look for success or failure.
 	 */
@@ -402,6 +405,8 @@ static int eappeap_check_tlv(REQUEST *request, const uint8_t *data)
 		}
 	}
 
+	RDEBUG("Unknown TLV %02x", data[10]);
+
 	return 0;
 }
 
@@ -857,7 +862,7 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session)
 	 *	If we authenticated the user, then it's OK.
 	 */
 	case PEAP_STATUS_SENT_TLV_SUCCESS:
-		if (eappeap_check_tlv(request, data)) {
+		if (eappeap_check_tlv(request, data, data_len)) {
 			RDEBUG2("Success");
 			return RLM_MODULE_OK;
 		}
-- 
2.1.4