These functions take a pointer and length as input using the the first byte as a pop in.
If the pop in is EAPT_MD5CHAP(4), it looks at an embedded 1-byte length field.
The logic in this code is intended to confirm that embedded length is smaller than the whole packet length.
This bounds check is incorrect and allows for memory copy to happen with an arbitrary length of data.
source: www.techworm.net
