Cumulative patch from commit 3302b7c29f42c532c815268bcdcd09e1dbe1840c

3302b7c Rate limit SA Query procedure initiation on unprotected disconnect
4075e2f EAP-GPSK: Clean up CSuite_List length validation (CID 62854)
2dbc959 EAP-FAST: Clean up TLV length validation (CID 62853)
35cbadb VHT: Remove useless validation code from Operating Mode Notification
bed7eb6 TDLS: Do not bail when failing to process IEs in Discovery Request
7e0f4f4 TDLS: Do not reject TPK M3 when failing to process IEs

Change-Id: I85ed050d7fce0ed8eb1959688171236d87264ff4
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

1 files changed, 6 insertions, 4 deletions

diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c
index fcb80dc7..44a443af 100644
--- a/src/eap_server/eap_server_fast.c
+++ b/src/eap_server/eap_server_fast.c
@@ -1123,7 +1123,8 @@ static void eap_fast_process_phase2_eap(struct eap_sm *sm,
 static int eap_fast_parse_tlvs(struct wpabuf *data,
 			       struct eap_fast_tlv_parse *tlv)
 {
-	int mandatory, tlv_type, len, res;
+	int mandatory, tlv_type, res;
+	size_t len;
 	u8 *pos, *end;
 
 	os_memset(tlv, 0, sizeof(*tlv));
@@ -1136,13 +1137,14 @@ static int eap_fast_parse_tlvs(struct wpabuf *data,
 		pos += 2;
 		len = WPA_GET_BE16(pos);
 		pos += 2;
-		if (pos + len > end) {
+		if (len > (size_t) (end - pos)) {
 			wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
 			return -1;
 		}
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
-			   "TLV type %d length %d%s",
-			   tlv_type, len, mandatory ? " (mandatory)" : "");
+			   "TLV type %d length %u%s",
+			   tlv_type, (unsigned int) len,
+			   mandatory ? " (mandatory)" : "");
 
 		res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
 		if (res == -2)