Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

P2P SD: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 9 years ago
parent
619fdfacc4
commit
f758ae7665
1 changed files with 9 additions and 9 deletions
Split View Show Diff Stats
  1. 9 9
      wpa_supplicant/p2p_supplicant_sd.c

+ 9 - 9
wpa_supplicant/p2p_supplicant_sd.c
View File 

@@ -48,7 +48,7 @@ static int p2p_sd_dns_uncompress_label(char **upos, char *uend, u8 *start,
 
 			u8 *spos_tmp;
 
 
 			/* Offset */
 
-			if (*spos + 2 > end) {
 
+			if (end - *spos < 2) {
 
 				wpa_printf(MSG_DEBUG, "P2P: No room for full "
 
 					   "DNS offset field");
 
 				return -1;
 
@@ -74,14 +74,14 @@ static int p2p_sd_dns_uncompress_label(char **upos, char *uend, u8 *start,
 
 			return 0;
 
 
 		(*spos)++;
 
-		if (*spos + len > end) {
 
+		if (len > end - *spos) {
 
 			wpa_printf(MSG_DEBUG, "P2P: Invalid domain name "
 
 				   "sequence - no room for label with length "
 
 				   "%u", len);
 
 			return -1;
 
 		}
 
 
-		if (*upos + len + 2 > uend)
 
+		if (len + 2 > uend - *upos)
 
 			return -2;
 
 
 		os_memcpy(*upos, *spos, len);
 
@@ -722,11 +722,11 @@ void wpas_sd_request(void *ctx, int freq, const u8 *sa, u8 dialog_token,
 
 	if (resp == NULL)
 
 		return;
 
 
-	while (pos + 1 < end) {
 
+	while (end - pos > 1) {
 
 		wpa_printf(MSG_DEBUG, "P2P: Service Request TLV");
 
 		slen = WPA_GET_LE16(pos);
 
 		pos += 2;
 
-		if (pos + slen > end || slen < 2) {
 
+		if (slen > end - pos || slen < 2) {
 
 			wpa_printf(MSG_DEBUG, "P2P: Unexpected Query Data "
 
 				   "length");
 
 			wpabuf_free(resp);
 
@@ -827,10 +827,10 @@ static void wpas_sd_p2ps_serv_response(struct wpa_supplicant *wpa_s,
 
 		u8 svc_len;
 
 
 		/* Sanity check fixed length+svc_str */
 
-		if (pos + 6 >= tlv_end)
 
+		if (6 >= tlv_end - pos)
 
 			break;
 
 		svc_len = pos[6];
 
-		if (pos + svc_len + 10 > tlv_end)
 
+		if (svc_len + 10 > tlv_end - pos)
 
 			break;
 
 
 		/* Advertisement ID */
 
@@ -917,13 +917,13 @@ void wpas_sd_response(void *ctx, const u8 *sa, u16 update_indic,
 
 		}
 
 	}
 
 
-	while (pos < end) {
 
+	while (end - pos >= 2) {
 
 		u8 srv_proto, srv_trans_id, status;
 
 
 		wpa_printf(MSG_DEBUG, "P2P: Service Response TLV");
 
 		slen = WPA_GET_LE16(pos);
 
 		pos += 2;
 
-		if (pos + slen > end || slen < 3) {
 
+		if (slen > end - pos || slen < 3) {
 
 			wpa_printf(MSG_DEBUG, "P2P: Unexpected Response Data "
 
 				   "length");
 
 			return;