aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-10-18 14:16:39 (GMT)
committerJouni Malinen <j@w1.fi>2015-10-25 13:34:59 (GMT)
commit2461724c0501c5518fb064abc0a6342d24400604 (patch)
tree5f49918c35292fe926dfc21d3cdbfad57163772d /src/rsn_supp
parentf758ae76655301c08173b505db27deb407a2aca3 (diff)
downloadhostap-2461724c0501c5518fb064abc0a6342d24400604.zip
hostap-2461724c0501c5518fb064abc0a6342d24400604.tar.gz
hostap-2461724c0501c5518fb064abc0a6342d24400604.tar.bz2
RSN: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/rsn_supp')
-rw-r--r--src/rsn_supp/wpa.c4
-rw-r--r--src/rsn_supp/wpa_ie.c6
2 files changed, 5 insertions, 5 deletions
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 3968f4b..3095fd0 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1003,8 +1003,8 @@ static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
if (sm->assoc_resp_ies) {
pos = sm->assoc_resp_ies;
end = pos + sm->assoc_resp_ies_len;
- while (pos + 2 < end) {
- if (pos + 2 + pos[1] > end)
+ while (end - pos > 2) {
+ if (2 + pos[1] > end - pos)
break;
switch (*pos) {
case WLAN_EID_MOBILITY_DOMAIN:
diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 0c37b35..c44844e 100644
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -378,7 +378,7 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end,
return 0;
}
- if (pos + 1 + RSN_SELECTOR_LEN < end &&
+ if (1 + RSN_SELECTOR_LEN < end - pos &&
pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
@@ -491,13 +491,13 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
int ret = 0;
os_memset(ie, 0, sizeof(*ie));
- for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) {
+ for (pos = buf, end = pos + len; end - pos > 1; pos += 2 + pos[1]) {
if (pos[0] == 0xdd &&
((pos == buf + len - 1) || pos[1] == 0)) {
/* Ignore padding */
break;
}
- if (pos + 2 + pos[1] > end) {
+ if (2 + pos[1] > end - pos) {
wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data "
"underflow (ie=%d len=%d pos=%d)",
pos[0], pos[1], (int) (pos - buf));