aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_common
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-11-23 14:37:16 (GMT)
committerJouni Malinen <j@w1.fi>2014-11-23 14:37:16 (GMT)
commitf931374f301dd16f4fce39db0fc330cb21a679f8 (patch)
tree65a83cf9e0ffedabe01dd1522efdd7baf14ce205 /src/eap_common
parentf5f3728a811830051aa110c5f6790343c352de4b (diff)
downloadhostap-f931374f301dd16f4fce39db0fc330cb21a679f8.zip
hostap-f931374f301dd16f4fce39db0fc330cb21a679f8.tar.gz
hostap-f931374f301dd16f4fce39db0fc330cb21a679f8.tar.bz2
IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a static analyzer to figure out that plen was being verified to not go beyond the buffer. (CID 72687) Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_common')
-rw-r--r--src/eap_common/ikev2_common.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/src/eap_common/ikev2_common.c b/src/eap_common/ikev2_common.c
index 262d9ab..4f9e64e 100644
--- a/src/eap_common/ikev2_common.c
+++ b/src/eap_common/ikev2_common.c
@@ -251,11 +251,14 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
os_memset(payloads, 0, sizeof(*payloads));
while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
- unsigned int plen, pdatalen;
+ unsigned int plen, pdatalen, left;
const u8 *pdata;
wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
next_payload);
- if (end - pos < (int) sizeof(*phdr)) {
+ if (end < pos)
+ return -1;
+ left = end - pos;
+ if (left < sizeof(*phdr)) {
wpa_printf(MSG_INFO, "IKEV2: Too short message for "
"payload header (left=%ld)",
(long) (end - pos));
@@ -263,7 +266,7 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
}
phdr = (const struct ikev2_payload_hdr *) pos;
plen = WPA_GET_BE16(phdr->payload_length);
- if (plen < sizeof(*phdr) || pos + plen > end) {
+ if (plen < sizeof(*phdr) || plen > left) {
wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
"length %d", plen);
return -1;