Use more explicit num_pmkid validation in RSN IE parsing

Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 2970d0f0f78f64cda3ec891b2b3c077492aa9d38..bea915c24da1cb93836ff1ecb2a16ccff9c788e7 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -561,17 +561,17 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
        }
 
        if (left >= 2) {
-               data->num_pmkid = WPA_GET_LE16(pos);
+               u16 num_pmkid = WPA_GET_LE16(pos);
                pos += 2;
                left -= 2;
-               if (left < (int) data->num_pmkid * PMKID_LEN) {
+               if (num_pmkid > (unsigned int) left / PMKID_LEN) {
                        wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
-                                  "(num_pmkid=%lu left=%d)",
-                                  __func__, (unsigned long) data->num_pmkid,
-                                  left);
+                                  "(num_pmkid=%u left=%d)",
+                                  __func__, num_pmkid, left);
                        data->num_pmkid = 0;
                        return -9;
                } else {
+                       data->num_pmkid = num_pmkid;
                        data->pmkid = pos;
                        pos += data->num_pmkid * PMKID_LEN;
                        left -= data->num_pmkid * PMKID_LEN;