aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-10-11 16:04:00 (GMT)
committerJouni Malinen <j@w1.fi>2014-10-11 16:04:00 (GMT)
commite7b96ecdb3cd132152123411afabf4e8970df154 (patch)
treea7fc7f834d7f3d9580e237b82c29a32cdabf3a47 /src/tls
parent92b5b371b6704a7cb05466c98f75658a28f4c4c9 (diff)
downloadhostap-e7b96ecdb3cd132152123411afabf4e8970df154.zip
hostap-e7b96ecdb3cd132152123411afabf4e8970df154.tar.gz
hostap-e7b96ecdb3cd132152123411afabf4e8970df154.tar.bz2
TLS client: Make DH parameter parsing easier for static analyzers
The dh_p_len, dh_g_len, and dh_ys_len parameters were validated against the received message structure, but that did not seem to be done in a way that some static analyzers would understand this (CID 72699). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/tls')
-rw-r--r--src/tls/tlsv1_client_read.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index 4f08e0f..101e0cb 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -451,7 +451,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
server_params = pos;
conn->dh_p_len = WPA_GET_BE16(pos);
pos += 2;
- if (conn->dh_p_len == 0 || end - pos < (int) conn->dh_p_len) {
+ if (conn->dh_p_len == 0 || conn->dh_p_len > (size_t) (end - pos)) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
(unsigned long) conn->dh_p_len);
goto fail;
@@ -476,7 +476,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
goto fail;
conn->dh_g_len = WPA_GET_BE16(pos);
pos += 2;
- if (conn->dh_g_len == 0 || end - pos < (int) conn->dh_g_len)
+ if (conn->dh_g_len == 0 || conn->dh_g_len > (size_t) (end - pos))
goto fail;
conn->dh_g = os_malloc(conn->dh_g_len);
if (conn->dh_g == NULL)
@@ -492,7 +492,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
goto fail;
conn->dh_ys_len = WPA_GET_BE16(pos);
pos += 2;
- if (conn->dh_ys_len == 0 || end - pos < (int) conn->dh_ys_len)
+ if (conn->dh_ys_len == 0 || conn->dh_ys_len > (size_t) (end - pos))
goto fail;
conn->dh_ys = os_malloc(conn->dh_ys_len);
if (conn->dh_ys == NULL)