DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Use more explicit num_pmkid validation in RSN IE parsing

Browse source 
Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-23 18:43:59 +02:00
parent e7306bcb59
commit 46a0352589
1 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/common/wpa_common.c
View file

@ -561,17 +561,17 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
} }
if (left >= 2) { if (left >= 2) {
data->num_pmkid = WPA_GET_LE16(pos); u16 num_pmkid = WPA_GET_LE16(pos);
pos += 2; pos += 2;
left -= 2; left -= 2;
if (left < (int) data->num_pmkid * PMKID_LEN) { if (num_pmkid > (unsigned int) left / PMKID_LEN) {
wpa_printf(MSG_DEBUG, "%s: PMKID underflow " wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
"(num_pmkid=%lu left=%d)", "(num_pmkid=%u left=%d)",
__func__, (unsigned long) data->num_pmkid, __func__, num_pmkid, left);
left);
data->num_pmkid = 0; data->num_pmkid = 0;
return -9; return -9;
} else { } else {
data->num_pmkid = num_pmkid;
data->pmkid = pos; data->pmkid = pos;
pos += data->num_pmkid * PMKID_LEN; pos += data->num_pmkid * PMKID_LEN;
left -= data->num_pmkid * PMKID_LEN; left -= data->num_pmkid * PMKID_LEN;