DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-FAST: Clean up TLV length validation (CID 62853)

Browse source 
Use size_t instead of int for storing and comparing the TLV length
against the remaining buffer length to make this easier for static
analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-06-18 16:42:15 +03:00
parent 35cbadbb14
commit 2dbc959699
4 changed files with 14 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/eap_server/eap_server_fast.c
View file

@ -1123,7 +1123,8 @@ static void eap_fast_process_phase2_eap(struct eap_sm *sm,
static int eap_fast_parse_tlvs(struct wpabuf *data,
struct eap_fast_tlv_parse *tlv)
{
int mandatory, tlv_type, len, res;
int mandatory, tlv_type, res;
size_t len;
u8 *pos, *end;
os_memset(tlv, 0, sizeof(*tlv));
@ -1136,13 +1137,14 @@ static int eap_fast_parse_tlvs(struct wpabuf *data,
pos += 2;
len = WPA_GET_BE16(pos);
pos += 2;
if (pos + len > end) {
if (len > (size_t) (end - pos)) {
wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
return -1;
}
wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
"TLV type %d length %d%s",
tlv_type, len, mandatory ? " (mandatory)" : "");
"TLV type %d length %u%s",
tlv_type, (unsigned int) len,
mandatory ? " (mandatory)" : "");
res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
if (res == -2)