diff options
-rw-r--r-- | contrib/wpa/src/eap_server/eap_server_tls_common.c | 8 | ||||
-rw-r--r-- | sys/compat/linux/linux_ioctl.c | 5 |
2 files changed, 11 insertions, 2 deletions
diff --git a/contrib/wpa/src/eap_server/eap_server_tls_common.c b/contrib/wpa/src/eap_server/eap_server_tls_common.c index 25ae683f0668..625ff52a4c2b 100644 --- a/contrib/wpa/src/eap_server/eap_server_tls_common.c +++ b/contrib/wpa/src/eap_server/eap_server_tls_common.c @@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data, return -1; } + if (len > message_length) { + wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " + "first fragment of frame (TLS Message " + "Length %d bytes)", + (int) len, (int) message_length); + return -1; + } + data->tls_in = wpabuf_alloc(message_length); if (data->tls_in == NULL) { wpa_printf(MSG_DEBUG, "SSL: No memory for message"); diff --git a/sys/compat/linux/linux_ioctl.c b/sys/compat/linux/linux_ioctl.c index a2b1dc02c407..168e68012625 100644 --- a/sys/compat/linux/linux_ioctl.c +++ b/sys/compat/linux/linux_ioctl.c @@ -2260,8 +2260,9 @@ again: ifc.ifc_len = valid_len; sbuf_finish(sb); - memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); - error = copyout(&ifc, uifc, sizeof(ifc)); + error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); + if (error == 0) + error = copyout(&ifc, uifc, sizeof(ifc)); sbuf_delete(sb); CURVNET_RESTORE(); |