From 2dbc959699c9180f0923a5926079d823115025f0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 18 Jun 2014 16:42:15 +0300 Subject: [PATCH] EAP-FAST: Clean up TLV length validation (CID 62853) Use size_t instead of int for storing and comparing the TLV length against the remaining buffer length to make this easier for static analyzers to understand. Signed-off-by: Jouni Malinen --- src/eap_common/eap_fast_common.c | 2 +- src/eap_common/eap_fast_common.h | 2 +- src/eap_peer/eap_fast.c | 10 ++++++---- src/eap_server/eap_server_fast.c | 10 ++++++---- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/src/eap_common/eap_fast_common.c b/src/eap_common/eap_fast_common.c index 04b987d23..fceb1b0ad 100644 --- a/src/eap_common/eap_fast_common.c +++ b/src/eap_common/eap_fast_common.c @@ -174,7 +174,7 @@ void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk) int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv, - int tlv_type, u8 *pos, int len) + int tlv_type, u8 *pos, size_t len) { switch (tlv_type) { case EAP_TLV_EAP_PAYLOAD_TLV: diff --git a/src/eap_common/eap_fast_common.h b/src/eap_common/eap_fast_common.h index 895561747..d59a8450b 100644 --- a/src/eap_common/eap_fast_common.h +++ b/src/eap_common/eap_fast_common.h @@ -102,6 +102,6 @@ u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn, void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk); void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk); int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv, - int tlv_type, u8 *pos, int len); + int tlv_type, u8 *pos, size_t len); #endif /* EAP_FAST_H */ diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c index cc1f264bb..b3f6a524b 100644 --- a/src/eap_peer/eap_fast.c +++ b/src/eap_peer/eap_fast.c @@ -1080,7 +1080,8 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted, struct eap_fast_tlv_parse *tlv, struct wpabuf **resp) { - int mandatory, tlv_type, len, res; + int mandatory, tlv_type, res; + size_t len; u8 *pos, *end; os_memset(tlv, 0, sizeof(*tlv)); @@ -1094,13 +1095,14 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted, pos += 2; len = WPA_GET_BE16(pos); pos += 2; - if (pos + len > end) { + if (len > (size_t) (end - pos)) { wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); return -1; } wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " - "TLV type %d length %d%s", - tlv_type, len, mandatory ? " (mandatory)" : ""); + "TLV type %d length %u%s", + tlv_type, (unsigned int) len, + mandatory ? " (mandatory)" : ""); res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); if (res == -2) diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c index fcb80dc75..44a443af7 100644 --- a/src/eap_server/eap_server_fast.c +++ b/src/eap_server/eap_server_fast.c @@ -1123,7 +1123,8 @@ static void eap_fast_process_phase2_eap(struct eap_sm *sm, static int eap_fast_parse_tlvs(struct wpabuf *data, struct eap_fast_tlv_parse *tlv) { - int mandatory, tlv_type, len, res; + int mandatory, tlv_type, res; + size_t len; u8 *pos, *end; os_memset(tlv, 0, sizeof(*tlv)); @@ -1136,13 +1137,14 @@ static int eap_fast_parse_tlvs(struct wpabuf *data, pos += 2; len = WPA_GET_BE16(pos); pos += 2; - if (pos + len > end) { + if (len > (size_t) (end - pos)) { wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); return -1; } wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " - "TLV type %d length %d%s", - tlv_type, len, mandatory ? " (mandatory)" : ""); + "TLV type %d length %u%s", + tlv_type, (unsigned int) len, + mandatory ? " (mandatory)" : ""); res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); if (res == -2)