IKEv2: Use a bit clearer payload header validation step

It looks like the "pos + plen > end" case was not clear enough for a static analyzer to figure out that plen was being verified to not go beyond the buffer. (CID 72687) Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 16:37:16 +02:00 · 2014-11-23 16:37:16 +02:00 · f931374f30
parent f5f3728a81
commit f931374f30
1 changed files with 6 additions and 3 deletions
--- a/src/eap_common/ikev2_common.c
+++ b/src/eap_common/ikev2_common.c
@ -251,11 +251,14 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
 	os_memset(payloads, 0, sizeof(*payloads));

 	while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
-		unsigned int plen, pdatalen;
+		unsigned int plen, pdatalen, left;
 		const u8 *pdata;
 		wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
 			   next_payload);
-		if (end - pos < (int) sizeof(*phdr)) {
+		if (end < pos)
+			return -1;
+		left = end - pos;
+		if (left < sizeof(*phdr)) {
 			wpa_printf(MSG_INFO, "IKEV2:   Too short message for "
 				   "payload header (left=%ld)",
 				   (long) (end - pos));
@ -263,7 +266,7 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
 		}
 		phdr = (const struct ikev2_payload_hdr *) pos;
 		plen = WPA_GET_BE16(phdr->payload_length);
-		if (plen < sizeof(*phdr) || pos + plen > end) {
+		if (plen < sizeof(*phdr) || plen > left) {
 			wpa_printf(MSG_INFO, "IKEV2:   Invalid payload header "
 				   "length %d", plen);
 			return -1;