aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_common
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-10-11 16:22:30 (GMT)
committerJouni Malinen <j@w1.fi>2014-10-11 16:22:30 (GMT)
commit08ef4426a796b5a5f66f1ade233664a812910d1f (patch)
tree5003369cd27c96092d09e7486ba8170d312855a1 /src/eap_common
parent683b408a9eb2bfa4579d50f7649017ec16b5ee47 (diff)
downloadhostap-08ef4426a796b5a5f66f1ade233664a812910d1f.zip
hostap-08ef4426a796b5a5f66f1ade233664a812910d1f.tar.gz
hostap-08ef4426a796b5a5f66f1ade233664a812910d1f.tar.bz2
EAP-IKEv2: Fix the payload parser
The payload lengths were not properly verified and the first check on there being enough buffer for the header was practically ignored. The second check for the full payload would catch length issues, but this is only after the potential read beyond the buffer. (CID 72687) Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_common')
-rw-r--r--src/eap_common/ikev2_common.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/src/eap_common/ikev2_common.c b/src/eap_common/ikev2_common.c
index 3d4fb6f..4b5e665 100644
--- a/src/eap_common/ikev2_common.c
+++ b/src/eap_common/ikev2_common.c
@@ -251,7 +251,7 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
os_memset(payloads, 0, sizeof(*payloads));
while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
- int plen, pdatalen;
+ unsigned int plen, pdatalen;
const u8 *pdata;
wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
next_payload);
@@ -259,17 +259,18 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
wpa_printf(MSG_INFO, "IKEV2: Too short message for "
"payload header (left=%ld)",
(long) (end - pos));
+ return -1;
}
phdr = (const struct ikev2_payload_hdr *) pos;
plen = WPA_GET_BE16(phdr->payload_length);
- if (plen < (int) sizeof(*phdr) || pos + plen > end) {
+ if (plen < sizeof(*phdr) || plen > end - pos) {
wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
"length %d", plen);
return -1;
}
wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x"
- " Payload Length: %d",
+ " Payload Length: %u",
phdr->next_payload, phdr->flags, plen);
pdata = (const u8 *) (phdr + 1);