mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-17 18:34:03 -05:00
TLS client: Check DH parameters using a local variable
Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
43aee94899
commit
76874379d3
@ -440,6 +440,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
|
|||||||
const u8 *pos, *end, *server_params, *server_params_end;
|
const u8 *pos, *end, *server_params, *server_params_end;
|
||||||
u8 alert;
|
u8 alert;
|
||||||
unsigned int bits;
|
unsigned int bits;
|
||||||
|
u16 val;
|
||||||
|
|
||||||
tlsv1_client_free_dh(conn);
|
tlsv1_client_free_dh(conn);
|
||||||
|
|
||||||
@ -449,13 +450,13 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
|
|||||||
if (end - pos < 3)
|
if (end - pos < 3)
|
||||||
goto fail;
|
goto fail;
|
||||||
server_params = pos;
|
server_params = pos;
|
||||||
conn->dh_p_len = WPA_GET_BE16(pos);
|
val = WPA_GET_BE16(pos);
|
||||||
pos += 2;
|
pos += 2;
|
||||||
if (conn->dh_p_len == 0 || conn->dh_p_len > (size_t) (end - pos)) {
|
if (val == 0 || val > (size_t) (end - pos)) {
|
||||||
wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
|
wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
|
||||||
(unsigned long) conn->dh_p_len);
|
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
conn->dh_p_len = val;
|
||||||
bits = count_bits(pos, conn->dh_p_len);
|
bits = count_bits(pos, conn->dh_p_len);
|
||||||
if (bits < 768) {
|
if (bits < 768) {
|
||||||
wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
|
wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
|
||||||
@ -474,10 +475,11 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
|
|||||||
|
|
||||||
if (end - pos < 3)
|
if (end - pos < 3)
|
||||||
goto fail;
|
goto fail;
|
||||||
conn->dh_g_len = WPA_GET_BE16(pos);
|
val = WPA_GET_BE16(pos);
|
||||||
pos += 2;
|
pos += 2;
|
||||||
if (conn->dh_g_len == 0 || conn->dh_g_len > (size_t) (end - pos))
|
if (val == 0 || val > (size_t) (end - pos))
|
||||||
goto fail;
|
goto fail;
|
||||||
|
conn->dh_g_len = val;
|
||||||
conn->dh_g = os_malloc(conn->dh_g_len);
|
conn->dh_g = os_malloc(conn->dh_g_len);
|
||||||
if (conn->dh_g == NULL)
|
if (conn->dh_g == NULL)
|
||||||
goto fail;
|
goto fail;
|
||||||
@ -490,10 +492,11 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
|
|||||||
|
|
||||||
if (end - pos < 3)
|
if (end - pos < 3)
|
||||||
goto fail;
|
goto fail;
|
||||||
conn->dh_ys_len = WPA_GET_BE16(pos);
|
val = WPA_GET_BE16(pos);
|
||||||
pos += 2;
|
pos += 2;
|
||||||
if (conn->dh_ys_len == 0 || conn->dh_ys_len > (size_t) (end - pos))
|
if (val == 0 || val > (size_t) (end - pos))
|
||||||
goto fail;
|
goto fail;
|
||||||
|
conn->dh_ys_len = val;
|
||||||
conn->dh_ys = os_malloc(conn->dh_ys_len);
|
conn->dh_ys = os_malloc(conn->dh_ys_len);
|
||||||
if (conn->dh_ys == NULL)
|
if (conn->dh_ys == NULL)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
Loading…
Reference in New Issue
Block a user