Message ID | 20200819194446.756181-1-briannorris@chromium.org |
---|---|
State | Accepted |
Headers | show |
Series | wlantest: avoid heap-overflow on unexpected data | expand |
On Wed, Aug 19, 2020 at 12:44:46PM -0700, Brian Norris wrote: > We're doing a sort of bounds check, based on the previous loop, but only > after we've already tried to read off the end. > > This squashes some ASAN errors I'm seeing when running the ap_ft hwsim > test module. Thanks, applied.
diff --git a/wlantest/rx_eapol.c b/wlantest/rx_eapol.c index d75ed92ba73d..44388fdda4e0 100644 --- a/wlantest/rx_eapol.c +++ b/wlantest/rx_eapol.c @@ -722,8 +722,8 @@ static void rx_data_eapol_key_3_of_4(struct wlantest *wt, const u8 *dst, } p += 2 + p[1]; } - if (p && p > decrypted && *p == 0xdd && - p + 1 == decrypted + decrypted_len) { + if (p && p > decrypted && p + 1 == decrypted + decrypted_len && + *p == 0xdd) { /* Remove padding */ p--; plain_len = p - decrypted;
We're doing a sort of bounds check, based on the previous loop, but only after we've already tried to read off the end. This squashes some ASAN errors I'm seeing when running the ap_ft hwsim test module. Signed-off-by: Brian Norris <briannorris@chromium.org> --- wlantest/rx_eapol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)