EAP-FAST peer: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c
index 4cbe3bacb0a61a72d8e58ca9b78742c58d6b6b0f..833dcb6baa00f99585e1b6c0e081685b3594a404 100644 (file)
--- a/src/eap_peer/eap_fast.c
+++ b/src/eap_peer/eap_fast.c
@@ -1096,7 +1096,7 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
        /* Parse TLVs from the decrypted Phase 2 data */
        pos = wpabuf_mhead(decrypted);
        end = pos + wpabuf_len(decrypted);
-       while (pos + 4 < end) {
+       while (end - pos > 4) {
                mandatory = pos[0] & 0x80;
                tlv_type = WPA_GET_BE16(pos) & 0x3fff;
                pos += 2;

diff --git a/src/eap_peer/eap_fast_pac.c b/src/eap_peer/eap_fast_pac.c
index 89e604ecf84b0d160691c3a7f9297f96c857fa63..c0986b314747e1c796db61672abb8fa29631afe9 100644 (file)
--- a/src/eap_peer/eap_fast_pac.c
+++ b/src/eap_peer/eap_fast_pac.c
@@ -709,7 +709,7 @@ static void eap_fast_pac_get_a_id(struct eap_fast_pac *pac)
        pos = pac->pac_info;
        end = pos + pac->pac_info_len;
 
-       while (pos + 4 < end) {
+       while (end - pos > 4) {
                type = WPA_GET_BE16(pos);
                pos += 2;
                len = WPA_GET_BE16(pos);