IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a static analyzer to figure out that plen was being verified to not go beyond the buffer. (CID 72687) Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
f5f3728a81
commit
f931374f30
1 changed files with 6 additions and 3 deletions
|
@ -251,11 +251,14 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
|
|||
os_memset(payloads, 0, sizeof(*payloads));
|
||||
|
||||
while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
|
||||
unsigned int plen, pdatalen;
|
||||
unsigned int plen, pdatalen, left;
|
||||
const u8 *pdata;
|
||||
wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
|
||||
next_payload);
|
||||
if (end - pos < (int) sizeof(*phdr)) {
|
||||
if (end < pos)
|
||||
return -1;
|
||||
left = end - pos;
|
||||
if (left < sizeof(*phdr)) {
|
||||
wpa_printf(MSG_INFO, "IKEV2: Too short message for "
|
||||
"payload header (left=%ld)",
|
||||
(long) (end - pos));
|
||||
|
@ -263,7 +266,7 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
|
|||
}
|
||||
phdr = (const struct ikev2_payload_hdr *) pos;
|
||||
plen = WPA_GET_BE16(phdr->payload_length);
|
||||
if (plen < sizeof(*phdr) || pos + plen > end) {
|
||||
if (plen < sizeof(*phdr) || plen > left) {
|
||||
wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
|
||||
"length %d", plen);
|
||||
return -1;
|
||||
|
|
Loading…
Reference in a new issue