]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0421d47)
EAP-IKEv2 peer: Avoid undefined behavior in pointer arithmetic
authorJouni Malinen <j@w1.fi>
Sun, 18 Oct 2015 08:25:25 +0000 (11:25 +0300)
committerJouni Malinen <j@w1.fi>
Sat, 24 Oct 2015 18:43:54 +0000 (21:43 +0300)
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/eap_peer/ikev2.c patch | blob | blame | history

diff --git a/src/eap_peer/ikev2.c b/src/eap_peer/ikev2.c
index 55ab72aee66c7a59dd2a867b35b52bbe9df226de..ca6502ea02e738786207016f9bda405c98760a32 100644 (file)
--- a/src/eap_peer/ikev2.c
+++ b/src/eap_peer/ikev2.c
@@ -128,7 +128,7 @@ static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
 
        t = (const struct ikev2_transform *) pos;
        transform_len = WPA_GET_BE16(t->transform_length);
-       if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
+       if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
                wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
                           transform_len);
                return -1;
@@ -248,7 +248,7 @@ static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
 
        ppos = (const u8 *) (p + 1);
        pend = pos + proposal_len;
-       if (ppos + p->spi_size > pend) {
+       if (p->spi_size > pend - ppos) {
                wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
                           "in proposal");
                return -1;
Unnamed repository; edit this file 'description' to name the repository.