From e7b96ecdb3cd132152123411afabf4e8970df154 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 11 Oct 2014 19:04:00 +0300
Subject: [PATCH] TLS client: Make DH parameter parsing easier for static
 analyzers

The dh_p_len, dh_g_len, and dh_ys_len parameters were validated against
the received message structure, but that did not seem to be done in a
way that some static analyzers would understand this (CID 72699).

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/tls/tlsv1_client_read.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index 4f08e0f9d..101e0cb1a 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -451,7 +451,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 	server_params = pos;
 	conn->dh_p_len = WPA_GET_BE16(pos);
 	pos += 2;
-	if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
+	if (conn->dh_p_len == 0 || conn->dh_p_len > (size_t) (end - pos)) {
 		wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
 			   (unsigned long) conn->dh_p_len);
 		goto fail;
@@ -476,7 +476,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 		goto fail;
 	conn->dh_g_len = WPA_GET_BE16(pos);
 	pos += 2;
-	if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
+	if (conn->dh_g_len == 0 || conn->dh_g_len > (size_t) (end - pos))
 		goto fail;
 	conn->dh_g = os_malloc(conn->dh_g_len);
 	if (conn->dh_g == NULL)
@@ -492,7 +492,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
 		goto fail;
 	conn->dh_ys_len = WPA_GET_BE16(pos);
 	pos += 2;
-	if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
+	if (conn->dh_ys_len == 0 || conn->dh_ys_len > (size_t) (end - pos))
 		goto fail;
 	conn->dh_ys = os_malloc(conn->dh_ys_len);
 	if (conn->dh_ys == NULL)