Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-01-29 08:14:02 -05:00
Code Issues Projects Releases Wiki Activity

WNM: Use a clearer validation step for key_len_total

Browse Source 
The previous one based on pointer arithmetic was apparently too much for
some static analyzers (CID 68130).

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-23 18:04:02 +02:00
parent 76874379d3
commit fecc09edc3
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wpa_supplicant/wnm_sta.c
View File

@ -245,6 +245,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
/* multiple TFS Resp IE (assuming consecutive) */ /* multiple TFS Resp IE (assuming consecutive) */
u8 *tfsresp_ie_start = NULL; u8 *tfsresp_ie_start = NULL;
u8 *tfsresp_ie_end = NULL; u8 *tfsresp_ie_end = NULL;
size_t left;
if (len < 3) if (len < 3)
return; return;
@ -252,11 +253,12 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d", wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
frm[0], key_len_total); frm[0], key_len_total);
pos += 3 + key_len_total; left = len - 3;
if (pos > frm + len) { if (key_len_total > left) {
wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field"); wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field");
return; return;
} }
pos += 3 + key_len_total;
while (pos - frm < len) { while (pos - frm < len) {
u8 ie_len = *(pos + 1); u8 ie_len = *(pos + 1);
if (pos + 2 + ie_len > frm + len) { if (pos + 2 + ie_len > frm + len) {