From a1afa2df8a521bce88f1e0b13dc6650be0e69494 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 15 Mar 2020 23:24:18 +0200 Subject: [PATCH] Remove unnecessary and confusing length check from the PMKID KDE case wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(), verifies that there is room for KDE Length field and pos[1] (that length) octets of payload in the Key Data buffer. The PMKID KDE case within wpa_parse_generic() was doing an unnecessary separate check for there being room for the Length, OUI, and Data Type fields. This is covered by the check in the calling function with the combination of verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN + PMKID_LEN octets of payload. This is confusing since no other KDE case was checking remaining full buffer room within wpa_parse_generic(). Clean this up by removing the unnecessary check from the PMKID KDE case so that all KDEs are handled consistently. Signed-off-by: Jouni Malinen --- src/common/wpa_common.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index e8a4a2beb..aaeb13023 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -2681,12 +2681,10 @@ static int wpa_parse_vendor_specific(const u8 *pos, const u8 *end, /** * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs * @pos: Pointer to the IE header - * @end: Pointer to the end of the Key Data buffer * @ie: Pointer to parsed IE data * Returns: 0 on success, 1 if end mark is found, -1 on failure */ -static int wpa_parse_generic(const u8 *pos, const u8 *end, - struct wpa_eapol_ie_parse *ie) +static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie) { if (pos[1] == 0) return 1; @@ -2708,8 +2706,7 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end, return 0; } - if (1 + RSN_SELECTOR_LEN < end - pos && - pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && + if (pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN && RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) { ie->pmkid = pos + 2 + RSN_SELECTOR_LEN; wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key", @@ -2895,7 +2892,7 @@ int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie) ie->supp_oper_classes_len = pos[1]; } } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) { - ret = wpa_parse_generic(pos, end, ie); + ret = wpa_parse_generic(pos, ie); if (ret < 0) break; if (ret > 0) {