EAP-IKEv2 server: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
72bb05a033
commit
0421d47e34
1 changed files with 3 additions and 3 deletions
|
@ -133,7 +133,7 @@ static int ikev2_parse_transform(struct ikev2_initiator_data *data,
|
||||||
|
|
||||||
t = (const struct ikev2_transform *) pos;
|
t = (const struct ikev2_transform *) pos;
|
||||||
transform_len = WPA_GET_BE16(t->transform_length);
|
transform_len = WPA_GET_BE16(t->transform_length);
|
||||||
if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
|
if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
|
||||||
wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
|
wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
|
||||||
transform_len);
|
transform_len);
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -221,7 +221,7 @@ static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
|
||||||
|
|
||||||
p = (const struct ikev2_proposal *) pos;
|
p = (const struct ikev2_proposal *) pos;
|
||||||
proposal_len = WPA_GET_BE16(p->proposal_length);
|
proposal_len = WPA_GET_BE16(p->proposal_length);
|
||||||
if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
|
if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
|
||||||
wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
|
wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
|
||||||
proposal_len);
|
proposal_len);
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -256,7 +256,7 @@ static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
|
||||||
|
|
||||||
ppos = (const u8 *) (p + 1);
|
ppos = (const u8 *) (p + 1);
|
||||||
pend = pos + proposal_len;
|
pend = pos + proposal_len;
|
||||||
if (ppos + p->spi_size > pend) {
|
if (p->spi_size > pend - ppos) {
|
||||||
wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
|
wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
|
||||||
"in proposal");
|
"in proposal");
|
||||||
return -1;
|
return -1;
|
||||||
|
|
Loading…
Reference in a new issue