Make GTK length validation easier to analyze

Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher()
was apparently too complex for some static analyzers. Use a local
variable and a more explicit validation step to avoid false report.
(CID 62864)

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 1d38ba5082ae62a6a0e53c8599ca09e7efe4f324..ba42e5e426251b0ea67bb848d521d234c719038a 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1276,8 +1276,9 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
                                             u16 ver, struct wpa_gtk_data *gd)
 {
        size_t maxkeylen;
+       u16 gtk_len;
 
-       gd->gtk_len = WPA_GET_BE16(key->key_length);
+       gtk_len = WPA_GET_BE16(key->key_length);
        maxkeylen = key_data_len;
        if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
                if (maxkeylen < 8) {
@@ -1289,11 +1290,13 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
                maxkeylen -= 8;
        }
 
-       if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
-                                             gd->gtk_len, maxkeylen,
+       if (gtk_len > maxkeylen ||
+           wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+                                             gtk_len, maxkeylen,
                                              &gd->key_rsc_len, &gd->alg))
                return -1;
 
+       gd->gtk_len = gtk_len;
        gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
                WPA_KEY_INFO_KEY_INDEX_SHIFT;
        if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4) {