---
- branch: MAIN
  date: Sat May  9 19:50:41 UTC 2015
  files:
  - new: '1.3'
    old: '1.2'
    path: src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c
    pathrev: src/external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c@1.3
    type: modified
  id: 20150509T195041Z.e479a7b9661d8ada5d1eb5b1713c2d12046e6a42
  log: |
    The remaining number of bytes in the message could be smaller than the
    Total-Length field size, so the length needs to be explicitly checked
    prior to reading the field and decrementing the len variable. This could
    have resulted in the remaining length becoming negative and interpreted
    as a huge positive integer.

    In addition, check that there is no already started fragment in progress
    before allocating a new buffer for reassembling fragments. This avoid a
    potential memory leak when processing invalid message.

    XXX: pullup-7
  module: src
  subject: 'CVS commit: src/external/bsd/wpa/dist/src/eap_server'
  unixtime: '1431201041'
  user: christos