--- xsupplicant-1.0.1/src/eap.c.memory-leak 2006-10-26 10:18:10.000000000 -0600 +++ xsupplicant-1.0.1/src/eap.c 2006-10-26 10:21:09.000000000 -0600 @@ -315,6 +315,12 @@ void eap_do_notify(struct interface_data // So, take the EAP length value, and subtract 5 to account for the EAP // header. + if (ntohs(myeap->eap_length) <= sizeof(struct eap_header)) + { + debug_printf(DEBUG_NORMAL, "EAP notification message is a runt!\n"); + return; + } + // This will allocate 5 bytes more than we should need. myval = malloc(ntohs(myeap->eap_length)); if (myval == NULL) @@ -326,9 +332,11 @@ void eap_do_notify(struct interface_data memset(myval, 0x00, ntohs(myeap->eap_length)); - Strncpy(myval, (char *) &inframe[OFFSET_TO_DATA], (ntohs(myeap->eap_length)-5)); + Strncpy(myval, (char *) &inframe[OFFSET_TO_DATA], + (ntohs(myeap->eap_length)-sizeof(struct eap_header))); debug_printf(DEBUG_NORMAL, "EAP Notification : %s\n", myval); + FREE(myval); } /*******************************************