aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_peer/eap_fast.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-10-18 08:18:12 (GMT)
committerJouni Malinen <j@w1.fi>2015-10-24 18:43:54 (GMT)
commit72bb05a0333f76135a079eee844c71eff740a6ed (patch)
tree988cd61e3acbbf813334a45504a62e49de2e8f79 /src/eap_peer/eap_fast.c
parented5e3a5888965969f19590561716d073045716a5 (diff)
downloadhostap-72bb05a0333f76135a079eee844c71eff740a6ed.zip
hostap-72bb05a0333f76135a079eee844c71eff740a6ed.tar.gz
hostap-72bb05a0333f76135a079eee844c71eff740a6ed.tar.bz2
EAP-FAST peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_peer/eap_fast.c')
-rw-r--r--src/eap_peer/eap_fast.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c
index 4cbe3ba..833dcb6 100644
--- a/src/eap_peer/eap_fast.c
+++ b/src/eap_peer/eap_fast.c
@@ -1096,7 +1096,7 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
/* Parse TLVs from the decrypted Phase 2 data */
pos = wpabuf_mhead(decrypted);
end = pos + wpabuf_len(decrypted);
- while (pos + 4 < end) {
+ while (end - pos > 4) {
mandatory = pos[0] & 0x80;
tlv_type = WPA_GET_BE16(pos) & 0x3fff;
pos += 2;