PCSC: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-10-18 18:51:59 +03:00
parent 80c620dbd7
commit 40762fcede

View File

@ -275,7 +275,7 @@ static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
pos++; pos++;
if (pos >= end) if (pos >= end)
return -1; return -1;
if ((pos + pos[0]) < end) if (pos[0] < end - pos)
end = pos + 1 + pos[0]; end = pos + 1 + pos[0];
pos++; pos++;
wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template", wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
@ -1385,7 +1385,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
end = buf + len; end = buf + len;
/* RES */ /* RES */
if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) { if (pos[0] > RES_MAX_LEN || pos[0] > end - pos) {
wpa_printf(MSG_DEBUG, "SCARD: Invalid RES"); wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
return -1; return -1;
} }
@ -1395,7 +1395,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len); wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
/* CK */ /* CK */
if (pos[0] != CK_LEN || pos + CK_LEN > end) { if (pos[0] != CK_LEN || CK_LEN > end - pos) {
wpa_printf(MSG_DEBUG, "SCARD: Invalid CK"); wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
return -1; return -1;
} }
@ -1405,7 +1405,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN); wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
/* IK */ /* IK */
if (pos[0] != IK_LEN || pos + IK_LEN > end) { if (pos[0] != IK_LEN || IK_LEN > end - pos) {
wpa_printf(MSG_DEBUG, "SCARD: Invalid IK"); wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
return -1; return -1;
} }