+ lm_exch = *pos;
+ pos++; /* skip over the bits and the exch */
+ len--;
+
+ /*
+ * if we're fragmenting then this should be an ACK with no data,
+ * just return and continue fragmenting in the "build" section above
+ */
+ if (data->out_frag_pos) {
+ if (len > 1)
+ wpa_printf(MSG_INFO, "EAP-pwd: Bad response! "
+ "Fragmenting but not an ACK");
+ else
+ wpa_printf(MSG_DEBUG, "EAP-pwd: received ACK from "
+ "peer");
+ return;
+ }
+ /*
+ * if we're receiving fragmented packets then we need to buffer...
+ *
+ * the first fragment has a total length
+ */
+ if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+ if (len < 2) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Frame too short to contain Total-Length field");
+ return;
+ }
+ tot_len = WPA_GET_BE16(pos);
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
+ "length = %d", tot_len);
+ if (tot_len > 15000)
+ return;
+ if (data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+ return;
+ }
+ data->inbuf = wpabuf_alloc(tot_len);
+ if (data->inbuf == NULL) {
+ wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
+ "buffer fragments!");
+ return;
+ }
+ data->in_frag_pos = 0;
+ pos += sizeof(u16);
+ len -= sizeof(u16);
+ }
+ /*
+ * the first and all intermediate fragments have the M bit set
+ */
+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
+ if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
+ "attack detected! (%d+%d > %d)",
+ (int) data->in_frag_pos, (int) len,
+ (int) wpabuf_size(data->inbuf));
+ eap_pwd_state(data, FAILURE);
+ return;
+ }
+ wpabuf_put_data(data->inbuf, pos, len);
+ data->in_frag_pos += len;
+ }
+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
+ (int) len);
+ return;
+ }
+ /*
+ * last fragment won't have the M bit set (but we're obviously
+ * buffering fragments so that's how we know it's the last)
+ */
+ if (data->in_frag_pos) {
+ pos = wpabuf_head_u8(data->inbuf);
+ len = data->in_frag_pos;
+ wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
+ (int) len);
+ }
+ switch (EAP_PWD_GET_EXCHANGE(lm_exch)) {