From: Jouni Malinen <j@w1.fi>
Date: Sun, 29 Dec 2013 13:59:31 +0000 (+0200)
Subject: SAE: Fix ECC element y coordinate validation step
X-Git-Tag: hostap_2_1~295
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4414d9ee95941f50d07189cf59ea7dfcbc401b02;p=thirdparty%2Fhostap.git

SAE: Fix ECC element y coordinate validation step

prime_len was added to the start pointer twice and because of this, the
actual y coordinate was not verified to be valid. This could also result
in reading beyond the buffer in some cases.

Signed-hostap: Jouni Malinen <j@w1.fi>
---

diff --git a/src/common/sae.c b/src/common/sae.c
index c806b9faf..08bf054cb 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -802,7 +802,7 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
 
 	/* element x and y coordinates < p */
 	if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
-	    os_memcmp(pos + sae->tmp->prime_len + sae->tmp->prime_len, prime,
+	    os_memcmp(pos + sae->tmp->prime_len, prime,
 		      sae->tmp->prime_len) >= 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
 			   "element");