EAP-PAX server: Add explicit CID length limit

Instead of using implicit limit based on 16-bit unsigned integer having
a maximum value of 65535, limit the maximum length of a CID explicitly
to 1500 bytes. This will hopefully help in reducing false warnings from
static analyzers (CID 72712).

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-09-07 17:10:33 +03:00
parent 6a6566c7af
commit 6473e80ea4

View file

@ -287,7 +287,7 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
struct eap_pax_hdr *resp; struct eap_pax_hdr *resp;
u8 mac[EAP_PAX_MAC_LEN], icvbuf[EAP_PAX_ICV_LEN]; u8 mac[EAP_PAX_MAC_LEN], icvbuf[EAP_PAX_ICV_LEN];
const u8 *pos; const u8 *pos;
size_t len, left; size_t len, left, cid_len;
int i; int i;
if (data->state != PAX_STD_1) if (data->state != PAX_STD_1)
@ -320,7 +320,12 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
wpa_printf(MSG_INFO, "EAP-PAX: Too short PAX_STD-2 (CID)"); wpa_printf(MSG_INFO, "EAP-PAX: Too short PAX_STD-2 (CID)");
return; return;
} }
data->cid_len = WPA_GET_BE16(pos); cid_len = WPA_GET_BE16(pos);
if (cid_len > 1500) {
wpa_printf(MSG_INFO, "EAP-PAX: Too long CID");
return;
}
data->cid_len = cid_len;
os_free(data->cid); os_free(data->cid);
data->cid = os_malloc(data->cid_len); data->cid = os_malloc(data->cid_len);
if (data->cid == NULL) { if (data->cid == NULL) {