SAE: Fix ECC element y coordinate validation step
prime_len was added to the start pointer twice and because of this, the actual y coordinate was not verified to be valid. This could also result in reading beyond the buffer in some cases. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
2bb9e28336
commit
4414d9ee95
1 changed files with 1 additions and 1 deletions
|
@ -802,7 +802,7 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
|
||||||
|
|
||||||
/* element x and y coordinates < p */
|
/* element x and y coordinates < p */
|
||||||
if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
|
if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
|
||||||
os_memcmp(pos + sae->tmp->prime_len + sae->tmp->prime_len, prime,
|
os_memcmp(pos + sae->tmp->prime_len, prime,
|
||||||
sae->tmp->prime_len) >= 0) {
|
sae->tmp->prime_len) >= 0) {
|
||||||
wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
|
wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
|
||||||
"element");
|
"element");
|
||||||
|
|
Loading…
Reference in a new issue