From d36f41692671a67913486f76ec6391e6dc326607 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 23 Nov 2014 20:39:52 +0200 Subject: [PATCH] EAP-IKEv2: Make proposal_len validation clearer Some static analyzers seem to have issues understanding "pos + proposal_len > end" style validation, so convert this to "proposal_len > end - pos" to make this more obvious to be bounds checking for proposal_len. (CID 62874) Signed-off-by: Jouni Malinen --- src/eap_peer/ikev2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/eap_peer/ikev2.c b/src/eap_peer/ikev2.c index 8186afb53..e6a173ec1 100644 --- a/src/eap_peer/ikev2.c +++ b/src/eap_peer/ikev2.c @@ -213,7 +213,7 @@ static int ikev2_parse_proposal(struct ikev2_proposal_data *prop, p = (const struct ikev2_proposal *) pos; proposal_len = WPA_GET_BE16(p->proposal_length); - if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) { + if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) { wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d", proposal_len); return -1;