Commit 0a6e8591 authored by Mark Stevens's avatar Mark Stevens
Browse files

update to duco/rk 3128-6003-6.0

No related merge requests found
......@@ -896,7 +896,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
/*
* buffer and ACK the fragment
*/
if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
data->in_frag_pos += len;
if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
......@@ -909,8 +909,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
return NULL;
}
wpabuf_put_data(data->inbuf, pos, len);
}
if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
EAP_PWD_HDR_SIZE,
EAP_CODE_RESPONSE, eap_get_id(reqData));
......@@ -924,8 +923,10 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
* we're buffering and this is the last fragment
*/
if (data->in_frag_pos) {
wpabuf_put_data(data->inbuf, pos, len);
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
(int) len);
data->in_frag_pos += len;
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
}
......
......@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
/*
* the first and all intermediate fragments have the M bit set
*/
if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
"attack detected! (%d+%d > %d)",
......@@ -981,8 +981,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
}
wpabuf_put_data(data->inbuf, pos, len);
data->in_frag_pos += len;
}
if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
(int) len);
return;
......@@ -992,6 +990,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* buffering fragments so that's how we know it's the last)
*/
if (data->in_frag_pos) {
wpabuf_put_data(data->inbuf, pos, len);
data->in_frag_pos += len;
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
......
......@@ -1305,7 +1305,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
#ifndef CONFIG_NO_CONFIG_BLOBS
struct wpa_config_blob *blob;
#endif /* CONFIG_NO_CONFIG_BLOBS */
int ret = 0;
int ret = 0, fd;
const char *orig_name = name;
int tmp_len = os_strlen(name) + 5; /* allow space for .tmp suffix */
char *tmp_name = os_malloc(tmp_len);
......@@ -1353,8 +1353,10 @@ int wpa_config_write(const char *name, struct wpa_config *config)
}
#endif /* CONFIG_NO_CONFIG_BLOBS */
os_fsync(f);
fflush(f);
fd = fileno(f);
if (fd >= 0)
fsync(fd);
fclose(f);
if (tmp_name) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment