From: Jouni Malinen <j@w1.fi>
Date: Sun, 23 Nov 2014 18:39:52 +0000 (+0200)
Subject: EAP-IKEv2: Make proposal_len validation clearer
X-Git-Tag: hostap_2_4~1040
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d36f41692671a67913486f76ec6391e6dc326607;p=thirdparty%2Fhostap.git

EAP-IKEv2: Make proposal_len validation clearer

Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/eap_peer/ikev2.c b/src/eap_peer/ikev2.c
index 8186afb53..e6a173ec1 100644
--- a/src/eap_peer/ikev2.c
+++ b/src/eap_peer/ikev2.c
@@ -213,7 +213,7 @@ static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
 
 	p = (const struct ikev2_proposal *) pos;
 	proposal_len = WPA_GET_BE16(p->proposal_length);
-	if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
+	if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
 		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
 			   proposal_len);
 		return -1;