Accueil Explorer Aide
S'inscrire Connexion
wareck
/
krackattacks
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

EAP-FAST: Clean up TLV length validation (CID 62853)

Use size_t instead of int for storing and comparing the TLV length
against the remaining buffer length to make this easier for static
analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen il y a 11 ans
Parent
35cbadbb14
commit
2dbc959699
4 fichiers modifiés avec 14 ajouts et 10 suppressions
Vue séparée Afficher les stats Diff
  1. 1 1
      src/eap_common/eap_fast_common.c
  2. 1 1
      src/eap_common/eap_fast_common.h
  3. 6 4
      src/eap_peer/eap_fast.c
  4. 6 4
      src/eap_server/eap_server_fast.c

+ 1 - 1
src/eap_common/eap_fast_common.c
Voir le fichier 

@@ -174,7 +174,7 @@ void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk)
 
 
 
 int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
 
-		       int tlv_type, u8 *pos, int len)
 
+		       int tlv_type, u8 *pos, size_t len)
 
 {
 
 	switch (tlv_type) {
 
 	case EAP_TLV_EAP_PAYLOAD_TLV:

+ 1 - 1
src/eap_common/eap_fast_common.h
Voir le fichier 

@@ -102,6 +102,6 @@ u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn,
 
 void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk);
 
 void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk);
 
 int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
 
-		       int tlv_type, u8 *pos, int len);
 
+		       int tlv_type, u8 *pos, size_t len);
 
 
 #endif /* EAP_FAST_H */

+ 6 - 4
src/eap_peer/eap_fast.c
Voir le fichier 

@@ -1080,7 +1080,8 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
 
 				    struct eap_fast_tlv_parse *tlv,
 
 				    struct wpabuf **resp)
 
 {
 
-	int mandatory, tlv_type, len, res;
 
+	int mandatory, tlv_type, res;
 
+	size_t len;
 
 	u8 *pos, *end;
 
 
 	os_memset(tlv, 0, sizeof(*tlv));
 
@@ -1094,13 +1095,14 @@ static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
 
 		pos += 2;
 
 		len = WPA_GET_BE16(pos);
 
 		pos += 2;
 
-		if (pos + len > end) {
 
+		if (len > (size_t) (end - pos)) {
 
 			wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
 
 			return -1;
 
 		}
 
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
 
-			   "TLV type %d length %d%s",
 
-			   tlv_type, len, mandatory ? " (mandatory)" : "");
 
+			   "TLV type %d length %u%s",
 
+			   tlv_type, (unsigned int) len,
 
+			   mandatory ? " (mandatory)" : "");
 
 
 		res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
 
 		if (res == -2)

+ 6 - 4
src/eap_server/eap_server_fast.c
Voir le fichier 

@@ -1123,7 +1123,8 @@ static void eap_fast_process_phase2_eap(struct eap_sm *sm,
 
 static int eap_fast_parse_tlvs(struct wpabuf *data,
 
 			       struct eap_fast_tlv_parse *tlv)
 
 {
 
-	int mandatory, tlv_type, len, res;
 
+	int mandatory, tlv_type, res;
 
+	size_t len;
 
 	u8 *pos, *end;
 
 
 	os_memset(tlv, 0, sizeof(*tlv));
 
@@ -1136,13 +1137,14 @@ static int eap_fast_parse_tlvs(struct wpabuf *data,
 
 		pos += 2;
 
 		len = WPA_GET_BE16(pos);
 
 		pos += 2;
 
-		if (pos + len > end) {
 
+		if (len > (size_t) (end - pos)) {
 
 			wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
 
 			return -1;
 
 		}
 
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
 
-			   "TLV type %d length %d%s",
 
-			   tlv_type, len, mandatory ? " (mandatory)" : "");
 
+			   "TLV type %d length %u%s",
 
+			   tlv_type, (unsigned int) len,
 
+			   mandatory ? " (mandatory)" : "");
 
 
 		res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
 
 		if (res == -2)