From c8a2fca58cface0de90723d2e820b9d64a4cc043 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Tue, 9 Feb 2010 12:53:42 +0100
Subject: Limit the number of EAP-TLS packets allowed

---
 src/charon/plugins/eap_tls/eap_tls.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src')

diff --git a/src/charon/plugins/eap_tls/eap_tls.c b/src/charon/plugins/eap_tls/eap_tls.c
index 25cb7775c..57f327991 100644
--- a/src/charon/plugins/eap_tls/eap_tls.c
+++ b/src/charon/plugins/eap_tls/eap_tls.c
@@ -42,6 +42,11 @@ struct private_eap_tls_t {
 	 */
 	identification_t *peer;
 
+	/**
+	 * Number of EAP-TLS messages processed so far
+	 */
+	int processed;
+
 	/**
 	 * Is this method instance acting as server?
 	 */
@@ -77,6 +82,8 @@ struct private_eap_tls_t {
 #define MAX_TLS_MESSAGE_LEN 16384
 /** Size of a EAP-TLS fragment */
 #define EAP_TLS_FRAGMENT_LEN 1014
+/** Maximum number of EAP-TLS messages/fragments allowed */
+#define MAX_EAP_TLS_MESSAGE_COUNT 16
 
 /**
  * Flags of an EAP-TLS message
@@ -320,6 +327,12 @@ METHOD(eap_method_t, process, status_t,
 	chunk_t data;
 	status_t status;
 
+	if (++this->processed > MAX_EAP_TLS_MESSAGE_COUNT)
+	{
+		DBG1(DBG_IKE, "EAP-TLS packet count exceeded");
+		return FAILED;
+	}
+
 	data = in->get_data(in);
 
 	pkt = (eap_tls_packet_t*)data.ptr;
-- 
cgit v1.2.3