---
- branch: MAIN
  date: Sat May  9 19:46:01 UTC 2015
  files:
  - new: '1.2'
    old: 1.1.1.4
    path: src/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c
    pathrev: src/external/bsd/wpa/dist/src/eap_peer/eap_pwd.c@1.2
    type: modified
  id: 20150509T194601Z.56cc593f5d2c5edce51ad71c72ebc19cd98d3fc0
  log: |
    The length of the received Commit and Confirm message payloads was not
    checked before reading them. This could result in a buffer read
    overflow when processing an invalid message.

    Fix this by verifying that the payload is of expected length before
    processing it. In addition, enforce correct state transition sequence to
    make sure there is no unexpected behavior if receiving a Commit/Confirm
    message before the previous exchanges have been completed.

    Thanks to Kostya Kortchinsky of Google security team for discovering and
    reporting this issue.

    XXX: pullup-7
  module: src
  subject: 'CVS commit: src/external/bsd/wpa/dist/src/eap_peer'
  unixtime: '1431200761'
  user: christos