Stack overflow in the EAP-PEAP supplicant of an enterprise AP

Inner-EAP packet framing trusts a length field after a vendor-specific opaque TLV. The TLV is mandatory and unauthenticated. The saved return address is reachable from a portal-side captive packet — pre-association.