mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-18 02:44:03 -05:00
RSN: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
f758ae7665
commit
2461724c05
@ -1003,8 +1003,8 @@ static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
|
||||
if (sm->assoc_resp_ies) {
|
||||
pos = sm->assoc_resp_ies;
|
||||
end = pos + sm->assoc_resp_ies_len;
|
||||
while (pos + 2 < end) {
|
||||
if (pos + 2 + pos[1] > end)
|
||||
while (end - pos > 2) {
|
||||
if (2 + pos[1] > end - pos)
|
||||
break;
|
||||
switch (*pos) {
|
||||
case WLAN_EID_MOBILITY_DOMAIN:
|
||||
|
@ -378,7 +378,7 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (pos + 1 + RSN_SELECTOR_LEN < end &&
|
||||
if (1 + RSN_SELECTOR_LEN < end - pos &&
|
||||
pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
|
||||
RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
|
||||
ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
|
||||
@ -491,13 +491,13 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
|
||||
int ret = 0;
|
||||
|
||||
os_memset(ie, 0, sizeof(*ie));
|
||||
for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) {
|
||||
for (pos = buf, end = pos + len; end - pos > 1; pos += 2 + pos[1]) {
|
||||
if (pos[0] == 0xdd &&
|
||||
((pos == buf + len - 1) || pos[1] == 0)) {
|
||||
/* Ignore padding */
|
||||
break;
|
||||
}
|
||||
if (pos + 2 + pos[1] > end) {
|
||||
if (2 + pos[1] > end - pos) {
|
||||
wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data "
|
||||
"underflow (ie=%d len=%d pos=%d)",
|
||||
pos[0], pos[1], (int) (pos - buf));
|
||||
|
Loading…
Reference in New Issue
Block a user