diff options
| author | Jouni Malinen <j@w1.fi> | 2015-10-18 14:46:32 (GMT) |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2015-10-25 13:34:59 (GMT) |
| commit | de7fe64df5e3f90dd97767f835998bc1cbd8f56e (patch) | |
| tree | 9a857b215f966f9420bc654c10c649e58bbdbeed /src/radius | |
| parent | d2eb91e08f07120daac06137ce9679feb8e94412 (diff) | |
| download | hostap-de7fe64df5e3f90dd97767f835998bc1cbd8f56e.zip hostap-de7fe64df5e3f90dd97767f835998bc1cbd8f56e.tar.gz hostap-de7fe64df5e3f90dd97767f835998bc1cbd8f56e.tar.bz2 | |
RADIUS: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/radius')
| -rw-r--r-- | src/radius/radius.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/radius/radius.c b/src/radius/radius.c index bd2aadd..266b29f 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -704,7 +704,7 @@ struct radius_msg * radius_msg_parse(const u8 *data, size_t len) attr = (struct radius_attr_hdr *) pos; - if (pos + attr->length > end || attr->length < sizeof(*attr)) + if (attr->length > end - pos || attr->length < sizeof(*attr)) goto fail; /* TODO: check that attr->length is suitable for attr->type */ |