Remove unnecessary and confusing length check from the PMKID KDE case

wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.

This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2020-03-15 23:24:18 +02:00
parent 094c9cdc7e
commit a1afa2df8a

View file

@ -2681,12 +2681,10 @@ static int wpa_parse_vendor_specific(const u8 *pos, const u8 *end,
/** /**
* wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
* @pos: Pointer to the IE header * @pos: Pointer to the IE header
* @end: Pointer to the end of the Key Data buffer
* @ie: Pointer to parsed IE data * @ie: Pointer to parsed IE data
* Returns: 0 on success, 1 if end mark is found, -1 on failure * Returns: 0 on success, 1 if end mark is found, -1 on failure
*/ */
static int wpa_parse_generic(const u8 *pos, const u8 *end, static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie)
struct wpa_eapol_ie_parse *ie)
{ {
if (pos[1] == 0) if (pos[1] == 0)
return 1; return 1;
@ -2708,8 +2706,7 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end,
return 0; return 0;
} }
if (1 + RSN_SELECTOR_LEN < end - pos && if (pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) { RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
ie->pmkid = pos + 2 + RSN_SELECTOR_LEN; ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key", wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key",
@ -2895,7 +2892,7 @@ int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie)
ie->supp_oper_classes_len = pos[1]; ie->supp_oper_classes_len = pos[1];
} }
} else if (*pos == WLAN_EID_VENDOR_SPECIFIC) { } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
ret = wpa_parse_generic(pos, end, ie); ret = wpa_parse_generic(pos, ie);
if (ret < 0) if (ret < 0)
break; break;
if (ret > 0) { if (ret > 0) {