IKEv2: Use a bit clearer payload header validation step

It looks like the "pos + plen > end" case was not clear enough for a
static analyzer to figure out that plen was being verified to not go
beyond the buffer. (CID 72687)

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_common/ikev2_common.c b/src/eap_common/ikev2_common.c
index 262d9ab..4f9e64e 100644 (file)
--- a/src/eap_common/ikev2_common.c
+++ b/src/eap_common/ikev2_common.c
@@ -251,11 +251,14 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
        os_memset(payloads, 0, sizeof(*payloads));
 
        while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
-               unsigned int plen, pdatalen;
+               unsigned int plen, pdatalen, left;
                const u8 *pdata;
                wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
                           next_payload);
-               if (end - pos < (int) sizeof(*phdr)) {
+               if (end < pos)
+                       return -1;
+               left = end - pos;
+               if (left < sizeof(*phdr)) {
                        wpa_printf(MSG_INFO, "IKEV2:   Too short message for "
                                   "payload header (left=%ld)",
                                   (long) (end - pos));
@@ -263,7 +266,7 @@ int ikev2_parse_payloads(struct ikev2_payloads *payloads,
                }
                phdr = (const struct ikev2_payload_hdr *) pos;
                plen = WPA_GET_BE16(phdr->payload_length);
-               if (plen < sizeof(*phdr) || pos + plen > end) {
+               if (plen < sizeof(*phdr) || plen > left) {
                        wpa_printf(MSG_INFO, "IKEV2:   Invalid payload header "
                                   "length %d", plen);
                        return -1;