Remove unnecessary and confusing length check from the PMKID KDE case

wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.

This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index e8a4a2beb919dcc7493281b99578358a5366e075..aaeb130238f4cf11b81d10694495e33cf6978f4c 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -2681,12 +2681,10 @@ static int wpa_parse_vendor_specific(const u8 *pos, const u8 *end,
 /**
  * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
  * @pos: Pointer to the IE header
- * @end: Pointer to the end of the Key Data buffer
  * @ie: Pointer to parsed IE data
  * Returns: 0 on success, 1 if end mark is found, -1 on failure
  */
-static int wpa_parse_generic(const u8 *pos, const u8 *end,
-                            struct wpa_eapol_ie_parse *ie)
+static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie)
 {
        if (pos[1] == 0)
                return 1;
@@ -2708,8 +2706,7 @@ static int wpa_parse_generic(const u8 *pos, const u8 *end,
                return 0;
        }
 
-       if (1 + RSN_SELECTOR_LEN < end - pos &&
-           pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
+       if (pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
            RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
                ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
                wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key",
@@ -2895,7 +2892,7 @@ int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie)
                                ie->supp_oper_classes_len = pos[1];
                        }
                } else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
-                       ret = wpa_parse_generic(pos, end, ie);
+                       ret = wpa_parse_generic(pos, ie);
                        if (ret < 0)
                                break;
                        if (ret > 0) {