Added ignoring of retry messages from RADIUS server when waiting EAP-TLS

Retry messages were not ignored correcly and caused memory corruption.

Author: Mika Leppänen

CHANGELOG.md

@@ -10,7 +10,7 @@
 * 
 
 ### Bug fixes
-* 
+* Added ignoring of retry messages from RADIUS server when waiting EAP-TLS
 
 
 ## Release v13.0.0 (15-04-2021)

source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c

@@ -71,6 +71,7 @@ typedef enum {
 #define RADIUS_ACCESS_ACCEPT          2
 #define RADIUS_ACCESS_REJECT          3
 #define RADIUS_ACCESS_CHALLENGE       11
+#define RADIUS_MESSAGE_NONE           0
 
 #define MS_MPPE_RECV_KEY_SALT_LEN     2
 #define MS_MPPE_RECV_KEY_BLOCK_LEN    16
@@ -239,14 +240,15 @@ static int8_t radius_client_sec_prot_init(sec_prot_t *prot)
     data->send_radius_msg = NULL;
     data->identity_len = 0;
     data->identity = NULL;
-    data->radius_code = 0;
+    data->radius_code = RADIUS_MESSAGE_NONE;
     data->radius_identifier = 0;
     memset(data->request_authenticator, 0, 16);
     data->state_len = 0;
     data->state = NULL;
     memset(data->remote_eui_64_hash, 0, 8);
     data->remote_eui_64_hash_set = false;
     data->new_pmk_set = false;
+    data->radius_id_range_set = false;
 
     if (!shared_data) {
         shared_data = ns_dyn_mem_alloc(sizeof(radius_client_sec_prot_shared_t));
@@ -379,6 +381,10 @@ static int8_t radius_client_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16
     uint8_t *radius_msg_ptr = pdu;
 
     uint8_t code = *radius_msg_ptr++;
+    if (code != RADIUS_ACCESS_ACCEPT && code != RADIUS_ACCESS_REJECT && code != RADIUS_ACCESS_CHALLENGE) {
+        return -1;
+    }
+
     uint8_t identifier = *radius_msg_ptr++;
     /* If identifier does not match to sent identifier, silently ignore message,
        already checked on socket if before routing the request to receive, so
@@ -430,6 +436,7 @@ static int8_t radius_client_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16
         // Message does not have radius EAP-TLS specific fields
         data->radius_code = code;
         prot->state_machine(prot);
+        data->radius_code = RADIUS_MESSAGE_NONE;
 
         return 0;
     }
@@ -519,6 +526,7 @@ static int8_t radius_client_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16
     data->radius_code = code;
     data->recv_eap_msg_len += data->radius_eap_tls_header_size;
     prot->state_machine(prot);
+    data->radius_code = RADIUS_MESSAGE_NONE;
 
     return 0;
 }
@@ -1127,6 +1135,16 @@ static void radius_client_sec_prot_state_machine(sec_prot_t *prot)
                 return;
             }
 
+            if (data->radius_code != RADIUS_MESSAGE_NONE) {
+                // Received retry for already handled message from RADIUS server, ignore
+                if (data->recv_eap_msg) {
+                    ns_dyn_mem_free(data->recv_eap_msg);
+                }
+                data->recv_eap_msg = NULL;
+                data->recv_eap_msg_len = 0;
+                return;
+            }
+
             tr_info("Radius: send access request, eui-64: %s", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
 
             radius_client_sec_prot_allocate_and_create_radius_message(prot);