RSN: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 3968f4b29a0f8a6a4f05d0740ba1741da746cfa2..3095fd0f9f54bd615dabd725a1c37a002bfabe77 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1003,8 +1003,8 @@ static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
        if (sm->assoc_resp_ies) {
                pos = sm->assoc_resp_ies;
                end = pos + sm->assoc_resp_ies_len;
-               while (pos + 2 < end) {
-                       if (pos + 2 + pos[1] > end)
+               while (end - pos > 2) {
+                       if (2 + pos[1] > end - pos)
                                break;
                        switch (*pos) {
                        case WLAN_EID_MOBILITY_DOMAIN:

diff --git a/src/rsn_supp/wpa_ie.c b/src/rsn_supp/wpa_ie.c
index 0c37b35c1ee1df83693db4247485629f08f5cef9..c44844ec583bfb73b48d72d4f6ed6361fbb99dd5 100644 (file)
--- a/src/rsn_supp/wpa_ie.c
+++ b/src/rsn_supp/wpa_ie.c
@@ -378,7 +378,7 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end,
                return 0;
        }
 
-       if (pos + 1 + RSN_SELECTOR_LEN < end &&
+       if (1 + RSN_SELECTOR_LEN < end - pos &&
            pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
            RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
                ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
@@ -491,13 +491,13 @@ int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
        int ret = 0;
 
        os_memset(ie, 0, sizeof(*ie));
-       for (pos = buf, end = pos + len; pos + 1 < end; pos += 2 + pos[1]) {
+       for (pos = buf, end = pos + len; end - pos > 1; pos += 2 + pos[1]) {
                if (pos[0] == 0xdd &&
                    ((pos == buf + len - 1) || pos[1] == 0)) {
                        /* Ignore padding */
                        break;
                }
-               if (pos + 2 + pos[1] > end) {
+               if (2 + pos[1] > end - pos) {
                        wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data "
                                   "underflow (ie=%d len=%d pos=%d)",
                                   pos[0], pos[1], (int) (pos - buf));