EAP-FAST: Clean up binary PAC file parser validation steps

This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_fast_pac.c b/src/eap_peer/eap_fast_pac.c
index 21d60983cd88acde9a528e69244752127bd8b5ee..377080f834971b7d2fb0b52e9eb3c49f948d13fe 100644 (file)
--- a/src/eap_peer/eap_fast_pac.c
+++ b/src/eap_peer/eap_fast_pac.c
@@ -799,7 +799,9 @@ int eap_fast_load_pac_bin(struct eap_sm *sm, struct eap_fast_pac **pac_root,
        pos = buf + 6;
        end = buf + len;
        while (pos < end) {
-               if (end - pos < 2 + 32 + 2 + 2)
+               u16 val;
+
+               if (end - pos < 2 + EAP_FAST_PAC_KEY_LEN + 2 + 2)
                        goto parse_fail;
 
                pac = os_zalloc(sizeof(*pac));
@@ -810,19 +812,23 @@ int eap_fast_load_pac_bin(struct eap_sm *sm, struct eap_fast_pac **pac_root,
                pos += 2;
                os_memcpy(pac->pac_key, pos, EAP_FAST_PAC_KEY_LEN);
                pos += EAP_FAST_PAC_KEY_LEN;
-               pac->pac_opaque_len = WPA_GET_BE16(pos);
+               val = WPA_GET_BE16(pos);
                pos += 2;
-               if (pos + pac->pac_opaque_len + 2 > end)
+               if (val > end - pos)
                        goto parse_fail;
+               pac->pac_opaque_len = val;
                pac->pac_opaque = os_malloc(pac->pac_opaque_len);
                if (pac->pac_opaque == NULL)
                        goto parse_fail;
                os_memcpy(pac->pac_opaque, pos, pac->pac_opaque_len);
                pos += pac->pac_opaque_len;
-               pac->pac_info_len = WPA_GET_BE16(pos);
+               if (2 > end - pos)
+                       goto parse_fail;
+               val = WPA_GET_BE16(pos);
                pos += 2;
-               if (pos + pac->pac_info_len > end)
+               if (val > end - pos)
                        goto parse_fail;
+               pac->pac_info_len = val;
                pac->pac_info = os_malloc(pac->pac_info_len);
                if (pac->pac_info == NULL)
                        goto parse_fail;