From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 9 Oct 2025 09:29:30 +0000 (+0200)
Subject: eap-mschapv2: Fix length check for successful responses on the client
X-Git-Url: https://git.feebdaed.xyz/?a=commitdiff_plain;h=9ef637e7820dd599db08ff2ca523e117797ea9a2;p=0xmirror%2Fstrongswan.git

eap-mschapv2: Fix length check for successful responses on the client

While wrong, this isn't an issue in practice as AUTH_RESPONSE_LEN is
long enough that subtracting HEADER_LEN is fine.

Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
---

diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 1bb54c877..21cc95a6a 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -889,7 +889,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
 	data = in->get_data(in);
 	eap = (eap_mschapv2_header_t*)data.ptr;
 
-	if (data.len < AUTH_RESPONSE_LEN)
+	if (data.len < HEADER_LEN + AUTH_RESPONSE_LEN)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
 		return FAILED;