mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-29 02:38:22 -05:00
PCSC: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
80c620dbd7
commit
40762fcede
@ -275,7 +275,7 @@ static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
|
|||||||
pos++;
|
pos++;
|
||||||
if (pos >= end)
|
if (pos >= end)
|
||||||
return -1;
|
return -1;
|
||||||
if ((pos + pos[0]) < end)
|
if (pos[0] < end - pos)
|
||||||
end = pos + 1 + pos[0];
|
end = pos + 1 + pos[0];
|
||||||
pos++;
|
pos++;
|
||||||
wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
|
wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
|
||||||
@ -1385,7 +1385,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
|
|||||||
end = buf + len;
|
end = buf + len;
|
||||||
|
|
||||||
/* RES */
|
/* RES */
|
||||||
if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) {
|
if (pos[0] > RES_MAX_LEN || pos[0] > end - pos) {
|
||||||
wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
|
wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -1395,7 +1395,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
|
|||||||
wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
|
wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
|
||||||
|
|
||||||
/* CK */
|
/* CK */
|
||||||
if (pos[0] != CK_LEN || pos + CK_LEN > end) {
|
if (pos[0] != CK_LEN || CK_LEN > end - pos) {
|
||||||
wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
|
wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -1405,7 +1405,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
|
|||||||
wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
|
wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
|
||||||
|
|
||||||
/* IK */
|
/* IK */
|
||||||
if (pos[0] != IK_LEN || pos + IK_LEN > end) {
|
if (pos[0] != IK_LEN || IK_LEN > end - pos) {
|
||||||
wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
|
wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user