aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-12-05 21:05:11 (GMT)
committerJouni Malinen <j@w1.fi>2014-12-06 10:16:32 (GMT)
commitc397eff82894efdaf6c6a49f5c9cf58f11564662 (patch)
tree489fca1892b5022bac9b6ae8d996780ce410dd38 /src/rsn_supp
parent369d07afc194fe5d96c085672ad960afac312c2a (diff)
downloadhostap-c397eff82894efdaf6c6a49f5c9cf58f11564662.zip
hostap-c397eff82894efdaf6c6a49f5c9cf58f11564662.tar.gz
hostap-c397eff82894efdaf6c6a49f5c9cf58f11564662.tar.bz2
Make GTK length validation easier to analyze
Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher() was apparently too complex for some static analyzers. Use a local variable and a more explicit validation step to avoid false report. (CID 62864) Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/rsn_supp')
-rw-r--r--src/rsn_supp/wpa.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 1d38ba5..ba42e5e 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1276,8 +1276,9 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
u16 ver, struct wpa_gtk_data *gd)
{
size_t maxkeylen;
+ u16 gtk_len;
- gd->gtk_len = WPA_GET_BE16(key->key_length);
+ gtk_len = WPA_GET_BE16(key->key_length);
maxkeylen = key_data_len;
if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
if (maxkeylen < 8) {
@@ -1289,11 +1290,13 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
maxkeylen -= 8;
}
- if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
- gd->gtk_len, maxkeylen,
+ if (gtk_len > maxkeylen ||
+ wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+ gtk_len, maxkeylen,
&gd->key_rsc_len, &gd->alg))
return -1;
+ gd->gtk_len = gtk_len;
gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
WPA_KEY_INFO_KEY_INDEX_SHIFT;
if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {