]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 72bb05a)
EAP-IKEv2 server: Avoid undefined behavior in pointer arithmetic
authorJouni Malinen <j@w1.fi>
Sun, 18 Oct 2015 08:23:44 +0000 (11:23 +0300)
committerJouni Malinen <j@w1.fi>
Sat, 24 Oct 2015 18:43:54 +0000 (21:43 +0300)
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/eap_server/ikev2.c patch | blob | blame | history

diff --git a/src/eap_server/ikev2.c b/src/eap_server/ikev2.c
index 632598fac72ae6950ffe56c3791f897146dc8e90..5385cd89246fc74dc280afdcbfcf9ea7c9daf515 100644 (file)
--- a/src/eap_server/ikev2.c
+++ b/src/eap_server/ikev2.c
@@ -133,7 +133,7 @@ static int ikev2_parse_transform(struct ikev2_initiator_data *data,
 
        t = (const struct ikev2_transform *) pos;
        transform_len = WPA_GET_BE16(t->transform_length);
-       if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
+       if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
                wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
                           transform_len);
                return -1;
@@ -221,7 +221,7 @@ static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
 
        p = (const struct ikev2_proposal *) pos;
        proposal_len = WPA_GET_BE16(p->proposal_length);
-       if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
+       if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
                wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
                           proposal_len);
                return -1;
@@ -256,7 +256,7 @@ static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
 
        ppos = (const u8 *) (p + 1);
        pend = pos + proposal_len;
-       if (ppos + p->spi_size > pend) {
+       if (p->spi_size > pend - ppos) {
                wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
                           "in proposal");
                return -1;
Unnamed repository; edit this file 'description' to name the repository.