Updated to hostap_2_6

[mech_eap.git] / libeap / src / eap_peer / eap_fast_pac.c

diff --git a/libeap/src/eap_peer/eap_fast_pac.c b/libeap/src/eap_peer/eap_fast_pac.c
index 89e604e..c815860 100644 (file)
--- a/libeap/src/eap_peer/eap_fast_pac.c
+++ b/libeap/src/eap_peer/eap_fast_pac.c
@@ -455,7 +455,8 @@ int eap_fast_load_pac(struct eap_sm *sm, struct eap_fast_pac **pac_root,
        }
 
        if (pac) {
-               err = "PAC block not terminated with END";
+               if (!err)
+                       err = "PAC block not terminated with END";
                eap_fast_free_pac(pac);
        }
 
@@ -709,7 +710,7 @@ static void eap_fast_pac_get_a_id(struct eap_fast_pac *pac)
        pos = pac->pac_info;
        end = pos + pac->pac_info_len;
 
-       while (pos + 4 < end) {
+       while (end - pos > 4) {
                type = WPA_GET_BE16(pos);
                pos += 2;
                len = WPA_GET_BE16(pos);
@@ -801,8 +802,10 @@ int eap_fast_load_pac_bin(struct eap_sm *sm, struct eap_fast_pac **pac_root,
        while (pos < end) {
                u16 val;
 
-               if (end - pos < 2 + EAP_FAST_PAC_KEY_LEN + 2 + 2)
+               if (end - pos < 2 + EAP_FAST_PAC_KEY_LEN + 2 + 2) {
+                       pac = NULL;
                        goto parse_fail;
+               }
 
                pac = os_zalloc(sizeof(*pac));
                if (pac == NULL)