8:18 a.m.
In practice a caller will know the contents of their buffer,
but just in case it would be nice to print a warning. This
may not satisfy static analysis, but at least with this the
developer will be informed what they are doing is wrong.
---
src/eap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/eap.c b/src/eap.c
index dea0c3cf..39c950a2 100644
--- a/src/eap.c
+++ b/src/eap.c
@@ -167,6 +167,9 @@ static void eap_send_response(struct eap_state *eap, enum eap_type
type,
buf[4] = type;
if (type == EAP_TYPE_EXPANDED) {
+ if (L_WARN_ON(len < 12))
+ return;
+
memcpy(buf + 5, eap->method->vendor_id, 3);
l_put_be32(eap->method->vendor_type, buf + 8);
}
--
2.26.2
8:18 a.m.
New subject: [PATCH 2/3] fils: check return of ie_parse_rsne_from_data
---
src/fils.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/fils.c b/src/fils.c
index acead506..3917ca40 100644
--- a/src/fils.c
+++ b/src/fils.c
@@ -108,9 +108,11 @@ static void fils_erp_tx_func(const uint8_t *eap_data, size_t len,
ie_tlv_builder_init(&builder, ptr, sizeof(data) - 4);
- ie_parse_rsne_from_data(fils->hs->supplicant_ie,
+ if (ie_parse_rsne_from_data(fils->hs->supplicant_ie,
fils->hs->supplicant_ie[1] + 2,
- &rsn_info);
+ &rsn_info) < 0)
+ return;
+
rsne = alloca(256);
ie_build_rsne(&rsn_info, rsne);
--
2.26.2
8:25 a.m.
New subject: [PATCH 2/3] fils: check return of ie_parse_rsne_from_data
Hi James,
On 2/8/21 3:18 PM, James Prestwood wrote:
---
src/fils.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/fils.c b/src/fils.c
index acead506..3917ca40 100644
--- a/src/fils.c
+++ b/src/fils.c
@@ -108,9 +108,11 @@ static void fils_erp_tx_func(const uint8_t *eap_data, size_t len,
ie_tlv_builder_init(&builder, ptr, sizeof(data) - 4);
- ie_parse_rsne_from_data(fils->hs->supplicant_ie,
+ if (ie_parse_rsne_from_data(fils->hs->supplicant_ie,
fils->hs->supplicant_ie[1] + 2,
- &rsn_info);
+ &rsn_info) < 0)
+ return;
+
This really shouldn't fail. We parse and check the rsne for errors when
building the handshake_state (
handshake_state_set_supplicant_ie). So it should be checked then.
If we're paranoid about this, I'd do the checking in fils_sm_new or fils_start
or something
rsne = alloca(256);
ie_build_rsne(&rsn_info, rsne);
Regards,
-Denis
8:18 a.m.
New subject: [PATCH 3/3] network: free psk on error
---
src/network.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/network.c b/src/network.c
index 7cae413f..8f129718 100644
--- a/src/network.c
+++ b/src/network.c
@@ -403,8 +403,10 @@ static int network_load_psk(struct network *network, bool
need_passphrase)
l_error("%s: invalid PreSharedKey format", path);
l_free(path);
- if (!passphrase)
+ if (!passphrase) {
+ l_free(psk);
return -EINVAL;
+ }
}
network->psk = l_malloc(32);
--
2.26.2
8:29 a.m.
New subject: [PATCH 3/3] network: free psk on error
Hi James,
On 2/8/21 3:18 PM, James Prestwood wrote:
---
src/network.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/network.c b/src/network.c
index 7cae413f..8f129718 100644
--- a/src/network.c
+++ b/src/network.c
@@ -403,8 +403,10 @@ static int network_load_psk(struct network *network, bool
need_passphrase)
l_error("%s: invalid PreSharedKey format", path);
l_free(path);
- if (!passphrase)
+ if (!passphrase) {
+ l_free(psk);
return -EINVAL;
+ }
That only frees it if there's passphrase. But if we have to re-derive the PSK,
it is still leaked...
}
network->psk = l_malloc(32);
Regards,
-Denis
587
days inactive
587
days old
4 comments
2 participants
participants (2)
-
Denis Kenzior -
James Prestwood