SAE: Fix ECC element y coordinate validation step

prime_len was added to the start pointer twice and because of this, the
actual y coordinate was not verified to be valid. This could also result
in reading beyond the buffer in some cases.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2013-12-29 15:59:31 +02:00
parent 2bb9e28336
commit 4414d9ee95

View file

@ -802,7 +802,7 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
/* element x and y coordinates < p */ /* element x and y coordinates < p */
if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 || if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
os_memcmp(pos + sae->tmp->prime_len + sae->tmp->prime_len, prime, os_memcmp(pos + sae->tmp->prime_len, prime,
sae->tmp->prime_len) >= 0) { sae->tmp->prime_len) >= 0) {
wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer " wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
"element"); "element");