From: Jouni Malinen <j@w1.fi>
Date: Sun, 18 Oct 2015 14:46:32 +0000 (+0300)
Subject: RADIUS: Avoid undefined behavior in pointer arithmetic
X-Git-Tag: hostap_2_6~1474
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de7fe64df5e3f90dd97767f835998bc1cbd8f56e;p=thirdparty%2Fhostap.git

RADIUS: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/radius/radius.c b/src/radius/radius.c
index bd2aadde1..266b29f7a 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -704,7 +704,7 @@ struct radius_msg * radius_msg_parse(const u8 *data, size_t len)
 
 		attr = (struct radius_attr_hdr *) pos;
 
-		if (pos + attr->length > end || attr->length < sizeof(*attr))
+		if (attr->length > end - pos || attr->length < sizeof(*attr))
 			goto fail;
 
 		/* TODO: check that attr->length is suitable for attr->type */