Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-01-18 02:44:03 -05:00
Code Issues Projects Releases Wiki Activity

WPA: Use more explicit WPA/RSN selector count validation

Browse Source 
Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-23 21:08:13 +02:00
parent adf96fb66b
commit 649c0a6974
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/common/wpa_common.c
View File

@ -510,7 +510,7 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
count = WPA_GET_LE16(pos); count = WPA_GET_LE16(pos);
pos += 2; pos += 2;
left -= 2; left -= 2;
if (count == 0 || left < count * RSN_SELECTOR_LEN) { if (count == 0 || count > left / RSN_SELECTOR_LEN) {
wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
"count %u left %u", __func__, count, left); "count %u left %u", __func__, count, left);
return -4; return -4;
@ -538,7 +538,7 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
count = WPA_GET_LE16(pos); count = WPA_GET_LE16(pos);
pos += 2; pos += 2;
left -= 2; left -= 2;
if (count == 0 || left < count * RSN_SELECTOR_LEN) { if (count == 0 || count > left / RSN_SELECTOR_LEN) {
wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
"count %u left %u", __func__, count, left); "count %u left %u", __func__, count, left);
return -6; return -6;
@ -688,7 +688,7 @@ int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
count = WPA_GET_LE16(pos); count = WPA_GET_LE16(pos);
pos += 2; pos += 2;
left -= 2; left -= 2;
if (count == 0 || left < count * WPA_SELECTOR_LEN) { if (count == 0 || count > left / WPA_SELECTOR_LEN) {
wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), " wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
"count %u left %u", __func__, count, left); "count %u left %u", __func__, count, left);
return -4; return -4;
@ -709,7 +709,7 @@ int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
count = WPA_GET_LE16(pos); count = WPA_GET_LE16(pos);
pos += 2; pos += 2;
left -= 2; left -= 2;
if (count == 0 || left < count * WPA_SELECTOR_LEN) { if (count == 0 || count > left / WPA_SELECTOR_LEN) {
wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), " wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
"count %u left %u", __func__, count, left); "count %u left %u", __func__, count, left);
return -6; return -6;