DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

TLS client: Check DH parameters using a local variable

Browse source 
Use a temporary, local variable to check the DH parameters received from
the server before assigning the length to the struct tlsv1_client
variables. This will hopefully make it easier for static analyzers to
figure out that there is bounds checking for the value. (CID 72699)

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-23 17:48:34 +02:00
parent 43aee94899
commit 76874379d3
1 changed files with 11 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
src/tls/tlsv1_client_read.c
View file

@ -440,6 +440,7 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
const u8 *pos, *end, *server_params, *server_params_end;
u8 alert;
unsigned int bits;
u16 val;
tlsv1_client_free_dh(conn);
@ -449,13 +450,13 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
if (end - pos < 3)
goto fail;
server_params = pos;
conn->dh_p_len = WPA_GET_BE16(pos);
val = WPA_GET_BE16(pos);
pos += 2;
if (conn->dh_p_len == 0 || conn->dh_p_len > (size_t) (end - pos)) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %lu",
(unsigned long) conn->dh_p_len);
if (val == 0 || val > (size_t) (end - pos)) {
wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val);
goto fail;
}
conn->dh_p_len = val;
bits = count_bits(pos, conn->dh_p_len);
if (bits < 768) {
wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)",
@ -474,10 +475,11 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
if (end - pos < 3)
goto fail;
conn->dh_g_len = WPA_GET_BE16(pos);
val = WPA_GET_BE16(pos);
pos += 2;
if (conn->dh_g_len == 0 || conn->dh_g_len > (size_t) (end - pos))
if (val == 0 || val > (size_t) (end - pos))
goto fail;
conn->dh_g_len = val;
conn->dh_g = os_malloc(conn->dh_g_len);
if (conn->dh_g == NULL)
goto fail;
@ -490,10 +492,11 @@ static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn,
if (end - pos < 3)
goto fail;
conn->dh_ys_len = WPA_GET_BE16(pos);
val = WPA_GET_BE16(pos);
pos += 2;
if (conn->dh_ys_len == 0 || conn->dh_ys_len > (size_t) (end - pos))
if (val == 0 || val > (size_t) (end - pos))
goto fail;
conn->dh_ys_len = val;
conn->dh_ys = os_malloc(conn->dh_ys_len);
if (conn->dh_ys == NULL)
goto fail;