From 66dc5ee58177ce515e13706ea41f5dc8f5c4cafa Mon Sep 17 00:00:00 2001
From: domosekai <54519668+domosekai@users.noreply.github.com>
Date: Sat, 10 Jul 2021 08:15:03 +0000
Subject: [PATCH] Cedar/Radius.c: Fix EAP Message buffer overflow

---
 src/Cedar/Radius.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/Cedar/Radius.c b/src/Cedar/Radius.c
index aa2b358e..067ea5c5 100644
--- a/src/Cedar/Radius.c
+++ b/src/Cedar/Radius.c
@@ -1069,7 +1069,8 @@ RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r)
 															is_finish = true;
 
 															Free(rp->Parse_EapMessage);
-															rp->Parse_EapMessage = Clone(e->PEAP_CurrentReceivingMsg->Buf, e->PEAP_CurrentReceivingMsg->Size);
+															rp->Parse_EapMessage = ZeroMalloc(sizeof(EAP_MESSAGE));
+															Copy(rp->Parse_EapMessage, e->PEAP_CurrentReceivingMsg->Buf, e->PEAP_CurrentReceivingMsg->Size);
 															rp->Parse_EapMessage_DataSize = e->PEAP_CurrentReceivingMsg->Size;
 														}
 													}
@@ -1508,7 +1509,8 @@ RADIUS_PACKET *ParseRadiusPacket(void *data, UINT size)
 				{
 					if (p->Parse_EapMessage == NULL)
 					{
-						EAP_MESSAGE *eap = Clone(a.Data, a.DataSize);
+						EAP_MESSAGE *eap = ZeroMalloc(sizeof(EAP_MESSAGE));
+						Copy(eap, a.Data, a.DataSize);
 
 						p->Parse_EapMessage_DataSize = sz_tmp;
 
@@ -1603,7 +1605,8 @@ RADIUS_PACKET *ParseRadiusPacket(void *data, UINT size)
 
 				p->Parse_EapMessage_DataSize = b->Size;
 				p->Parse_EapMessage_DataSize = MIN(p->Parse_EapMessage_DataSize, 1500);
-				p->Parse_EapMessage = Clone(b->Buf, p->Parse_EapMessage_DataSize);
+				p->Parse_EapMessage = ZeroMalloc(sizeof(EAP_MESSAGE));
+				Copy(p->Parse_EapMessage, b->Buf, p->Parse_EapMessage_DataSize);
 			}
 
 			FreeBuf(b);