Use more explicit num_pmkid validation in RSN IE parsing
Static analyzers may not have understood the bounds checking on data->num_pmkid. Use a local, temporary variable and validate that that value is within length limits before assining this to data->num_pmkid to make this clearer. (CID 62857, CID 68126) Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
e7306bcb59
commit
46a0352589
1 changed files with 5 additions and 5 deletions
|
@ -561,17 +561,17 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
|
|||
}
|
||||
|
||||
if (left >= 2) {
|
||||
data->num_pmkid = WPA_GET_LE16(pos);
|
||||
u16 num_pmkid = WPA_GET_LE16(pos);
|
||||
pos += 2;
|
||||
left -= 2;
|
||||
if (left < (int) data->num_pmkid * PMKID_LEN) {
|
||||
if (num_pmkid > (unsigned int) left / PMKID_LEN) {
|
||||
wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
|
||||
"(num_pmkid=%lu left=%d)",
|
||||
__func__, (unsigned long) data->num_pmkid,
|
||||
left);
|
||||
"(num_pmkid=%u left=%d)",
|
||||
__func__, num_pmkid, left);
|
||||
data->num_pmkid = 0;
|
||||
return -9;
|
||||
} else {
|
||||
data->num_pmkid = num_pmkid;
|
||||
data->pmkid = pos;
|
||||
pos += data->num_pmkid * PMKID_LEN;
|
||||
left -= data->num_pmkid * PMKID_LEN;
|
||||
|
|
Loading…
Reference in a new issue