Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 08:48:31 -05:00
Code Issues Projects Releases Wiki Activity

EAP-FAST: Clean up TLV length validation (CID 62853)

Browse Source 
Use size_t instead of int for storing and comparing the TLV length
against the remaining buffer length to make this easier for static
analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-06-18 16:42:15 +03:00
parent 35cbadbb14
commit 2dbc959699
4 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/eap_common/eap_fast_common.c
View File

@ -174,7 +174,7 @@ void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk)
int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv, int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
int tlv_type, u8 *pos, int len) int tlv_type, u8 *pos, size_t len)
{ {
switch (tlv_type) { switch (tlv_type) {
case EAP_TLV_EAP_PAYLOAD_TLV: case EAP_TLV_EAP_PAYLOAD_TLV:

2
src/eap_common/eap_fast_common.h
View File

@ -102,6 +102,6 @@ u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn,
void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk); void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk);
void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk); void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk);
int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv, int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
int tlv_type, u8 *pos, int len); int tlv_type, u8 *pos, size_t len);
#endif /* EAP_FAST_H */ #endif /* EAP_FAST_H */

10
src/eap_peer/eap_fast.c
View File

@ -1080,7 +1080,8 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
struct eap_fast_tlv_parse *tlv, struct eap_fast_tlv_parse *tlv,
struct wpabuf **resp) struct wpabuf **resp)
{ {
int mandatory, tlv_type, len, res; int mandatory, tlv_type, res;
size_t len;
u8 *pos, *end; u8 *pos, *end;
os_memset(tlv, 0, sizeof(*tlv)); os_memset(tlv, 0, sizeof(*tlv));
@ -1094,13 +1095,14 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
pos += 2; pos += 2;
len = WPA_GET_BE16(pos); len = WPA_GET_BE16(pos);
pos += 2; pos += 2;
if (pos + len > end) { if (len > (size_t) (end - pos)) {
wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
return -1; return -1;
} }
wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
"TLV type %d length %d%s", "TLV type %d length %u%s",
tlv_type, len, mandatory ? " (mandatory)" : ""); tlv_type, (unsigned int) len,
mandatory ? " (mandatory)" : "");
res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
if (res == -2) if (res == -2)

10
src/eap_server/eap_server_fast.c
View File

@ -1123,7 +1123,8 @@ static void eap_fast_process_phase2_eap(struct eap_sm *sm,
static int eap_fast_parse_tlvs(struct wpabuf *data, static int eap_fast_parse_tlvs(struct wpabuf *data,
struct eap_fast_tlv_parse *tlv) struct eap_fast_tlv_parse *tlv)
{ {
int mandatory, tlv_type, len, res; int mandatory, tlv_type, res;
size_t len;
u8 *pos, *end; u8 *pos, *end;
os_memset(tlv, 0, sizeof(*tlv)); os_memset(tlv, 0, sizeof(*tlv));
@ -1136,13 +1137,14 @@ static int eap_fast_parse_tlvs(struct wpabuf *data,
pos += 2; pos += 2;
len = WPA_GET_BE16(pos); len = WPA_GET_BE16(pos);
pos += 2; pos += 2;
if (pos + len > end) { if (len > (size_t) (end - pos)) {
wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
return -1; return -1;
} }
wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
"TLV type %d length %d%s", "TLV type %d length %u%s",
tlv_type, len, mandatory ? " (mandatory)" : ""); tlv_type, (unsigned int) len,
mandatory ? " (mandatory)" : "");
res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
if (res == -2) if (res == -2)