projects / mech_eap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 80c620d)
PCSC: Avoid undefined behavior in pointer arithmetic
authorJouni Malinen <j@w1.fi>
Sun, 18 Oct 2015 15:51:59 +0000 (18:51 +0300)
committerJouni Malinen <j@w1.fi>
Sun, 25 Oct 2015 13:35:00 +0000 (15:35 +0200)
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/utils/pcsc_funcs.c patch | blob | history

diff --git a/src/utils/pcsc_funcs.c b/src/utils/pcsc_funcs.c
index 6f5ea93..2f1157b 100644 (file)
--- a/src/utils/pcsc_funcs.c
+++ b/src/utils/pcsc_funcs.c
@@ -275,7 +275,7 @@ static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
        pos++;
        if (pos >= end)
                return -1;
-       if ((pos + pos[0]) < end)
+       if (pos[0] < end - pos)
                end = pos + 1 + pos[0];
        pos++;
        wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
@@ -1385,7 +1385,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
                end = buf + len;
 
                /* RES */
-               if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) {
+               if (pos[0] > RES_MAX_LEN || pos[0] > end - pos) {
                        wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
                        return -1;
                }
@@ -1395,7 +1395,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
                wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
 
                /* CK */
-               if (pos[0] != CK_LEN || pos + CK_LEN > end) {
+               if (pos[0] != CK_LEN || CK_LEN > end - pos) {
                        wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
                        return -1;
                }
@@ -1405,7 +1405,7 @@ int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
                wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
 
                /* IK */
-               if (pos[0] != IK_LEN || pos + IK_LEN > end) {
+               if (pos[0] != IK_LEN || IK_LEN > end - pos) {
                        wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
                        return -1;
                }
Moonshot GSS-API mechanism