jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

EAP-FAST peer: Avoid undefined behavior in pointer arithmetic

Browse source 
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-10-18 11:18:12 +03:00
parent ed5e3a5888
commit 72bb05a033
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/eap_peer/eap_fast.c
View file

@ -1096,7 +1096,7 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
/* Parse TLVs from the decrypted Phase 2 data */ /* Parse TLVs from the decrypted Phase 2 data */
pos = wpabuf_mhead(decrypted); pos = wpabuf_mhead(decrypted);
end = pos + wpabuf_len(decrypted); end = pos + wpabuf_len(decrypted);
while (pos + 4 < end) { while (end - pos > 4) {
mandatory = pos[0] & 0x80; mandatory = pos[0] & 0x80;
tlv_type = WPA_GET_BE16(pos) & 0x3fff; tlv_type = WPA_GET_BE16(pos) & 0x3fff;
pos += 2; pos += 2;

2
src/eap_peer/eap_fast_pac.c
View file

@ -709,7 +709,7 @@ static void eap_fast_pac_get_a_id(struct eap_fast_pac *pac)
pos = pac->pac_info; pos = pac->pac_info;
end = pos + pac->pac_info_len; end = pos + pac->pac_info_len;
while (pos + 4 < end) { while (end - pos > 4) {
type = WPA_GET_BE16(pos); type = WPA_GET_BE16(pos);
pos += 2; pos += 2;
len = WPA_GET_BE16(pos); len = WPA_GET_BE16(pos);