From 0a11409c00769026b4e89c5cbb089118256d3475 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 30 Nov 2014 15:39:34 +0200
Subject: [PATCH] Fix omac1_aes_128_vector() not to read beyond addr/len array

Previously, it was possible for the loop through the data components to
increment addr/len index at the last position beyond the declared size.
This resulted in reading beyond those arrays. The read values were not
used and as such, this was unlikely to cause noticeable issues, but
anyway, memory checkers can detect this and the correct behavior is to
stop increments before going beyond the arrays since no more bytes will
be processed after this anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/crypto/aes-omac1.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/crypto/aes-omac1.c b/src/crypto/aes-omac1.c
index 27895eb00..c2b06867e 100644
--- a/src/crypto/aes-omac1.c
+++ b/src/crypto/aes-omac1.c
@@ -65,6 +65,13 @@ int omac1_aes_128_vector(const u8 *key, size_t num_elem,
 		for (i = 0; i < AES_BLOCK_SIZE; i++) {
 			cbc[i] ^= *pos++;
 			if (pos >= end) {
+				/*
+				 * Stop if there are no more bytes to process
+				 * since there are no more entries in the array.
+				 */
+				if (i + 1 == AES_BLOCK_SIZE &&
+				    left == AES_BLOCK_SIZE)
+					break;
 				e++;
 				pos = addr[e];
 				end = pos + len[e];
@@ -83,6 +90,12 @@ int omac1_aes_128_vector(const u8 *key, size_t num_elem,
 		for (i = 0; i < left; i++) {
 			cbc[i] ^= *pos++;
 			if (pos >= end) {
+				/*
+				 * Stop if there are no more bytes to process
+				 * since there are no more entries in the array.
+				 */
+				if (i + 1 == left)
+					break;
 				e++;
 				pos = addr[e];
 				end = pos + len[e];