<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div>Hi,</div><div><br></div><div>I was going through the EAP TTLS code (MSCHAPv2), and I noticed some potential issues with the eap_ttls_phase2_request_mschapv2() function.</div><div><br></div><div>The problem is as follows. The 'challenge' pointer is first malloc'ed to a size of (<span id="1519517:1:1:id#342" class="sv_id_known">EAP_TTLS_MSCHAPV2_CHALLENGE_LEN</span> + <span class="sv_number">1) by the </span><span id="1519902:1:1:id#341" class="sv_id_known">eap_ttls_implicit_challenge() function. Then, the 'peer_challenge' pointer is set to </span>(<span class="sv_id">challenge</span> + <span class="sv_number">1</span> + <span id="1519517:1:1:id#346" class="sv_id_known">EAP_TTLS_MSCHAPV2_CHALLENGE_LEN), which is just outside the allocated challenge buffer, and is hence un-allocated memory. Right after that, data upto a size
of</span> <span id="1519517:1:1:id#346" class="sv_id_known">EAP_TTLS_MSCHAPV2_CHALLENGE_LEN is read from the 'peer_challenge' buffer and copied into 'pos'.</span></div><div><br><span id="1519517:1:1:id#346" class="sv_id_known"></span></div><div><span id="1519517:1:1:id#346" class="sv_id_known">I am not able to understand how data is being read from an un-allocated area in memory. That might cause segfaults, and would read in garbage values anyways. Am I missing something?</span></div><div><br><span id="1519517:1:1:id#346" class="sv_id_known"></span></div><div><span id="1519517:1:1:id#346" class="sv_id_known">Any help would be appreciated.</span></div><div><br><span id="1519517:1:1:id#346" class="sv_id_known"></span></div><div><span id="1519517:1:1:id#346" class="sv_id_known">Thanks & Regards,</span></div><div><span id="1519517:1:1:id#346" class="sv_id_known">Kaustav<br></span></div></div></body></html>