From c397eff82894efdaf6c6a49f5c9cf58f11564662 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 5 Dec 2014 23:05:11 +0200 Subject: [PATCH] Make GTK length validation easier to analyze Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher() was apparently too complex for some static analyzers. Use a local variable and a more explicit validation step to avoid false report. (CID 62864) Signed-off-by: Jouni Malinen --- src/rsn_supp/wpa.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 1d38ba508..ba42e5e42 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -1276,8 +1276,9 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, u16 ver, struct wpa_gtk_data *gd) { size_t maxkeylen; + u16 gtk_len; - gd->gtk_len = WPA_GET_BE16(key->key_length); + gtk_len = WPA_GET_BE16(key->key_length); maxkeylen = key_data_len; if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { if (maxkeylen < 8) { @@ -1289,11 +1290,13 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, maxkeylen -= 8; } - if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, - gd->gtk_len, maxkeylen, + if (gtk_len > maxkeylen || + wpa_supplicant_check_group_cipher(sm, sm->group_cipher, + gtk_len, maxkeylen, &gd->key_rsc_len, &gd->alg)) return -1; + gd->gtk_len = gtk_len; gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> WPA_KEY_INFO_KEY_INDEX_SHIFT; if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {