diff options
| author | Jouni Malinen <j@w1.fi> | 2014-06-18 13:42:15 (GMT) |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2014-06-18 13:45:03 (GMT) |
| commit | 2dbc959699c9180f0923a5926079d823115025f0 (patch) | |
| tree | 16c3b398da8dd55dad5f3af20882210c6fa177fe /src/eap_server | |
| parent | 35cbadbb14b3c60b737f85940468ad6cfe0f05ad (diff) | |
| download | hostap-2dbc959699c9180f0923a5926079d823115025f0.zip hostap-2dbc959699c9180f0923a5926079d823115025f0.tar.gz hostap-2dbc959699c9180f0923a5926079d823115025f0.tar.bz2 | |
EAP-FAST: Clean up TLV length validation (CID 62853)
Use size_t instead of int for storing and comparing the TLV length
against the remaining buffer length to make this easier for static
analyzers to understand.
Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server')
| -rw-r--r-- | src/eap_server/eap_server_fast.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c index fcb80dc..44a443a 100644 --- a/src/eap_server/eap_server_fast.c +++ b/src/eap_server/eap_server_fast.c @@ -1123,7 +1123,8 @@ static void eap_fast_process_phase2_eap(struct eap_sm *sm, static int eap_fast_parse_tlvs(struct wpabuf *data, struct eap_fast_tlv_parse *tlv) { - int mandatory, tlv_type, len, res; + int mandatory, tlv_type, res; + size_t len; u8 *pos, *end; os_memset(tlv, 0, sizeof(*tlv)); @@ -1136,13 +1137,14 @@ static int eap_fast_parse_tlvs(struct wpabuf *data, pos += 2; len = WPA_GET_BE16(pos); pos += 2; - if (pos + len > end) { + if (len > (size_t) (end - pos)) { wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow"); return -1; } wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: " - "TLV type %d length %d%s", - tlv_type, len, mandatory ? " (mandatory)" : ""); + "TLV type %d length %u%s", + tlv_type, (unsigned int) len, + mandatory ? " (mandatory)" : ""); res = eap_fast_parse_tlv(tlv, tlv_type, pos, len); if (res == -2) |