From f2ac70318ac50fdd4972ea4b4ae19cc2d28b3bca Mon Sep 17 00:00:00 2001 From: Felipe Date: Tue, 15 Sep 2020 14:12:50 -0300 Subject: [PATCH] Possible invalid memory access on memcpy --- .../source/Security/protocols/sec_prot_lib.c | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c b/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c index 604644fbc2..5665677dca 100644 --- a/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c +++ b/features/nanostack/sal-stack-nanostack/source/Security/protocols/sec_prot_lib.c @@ -373,19 +373,23 @@ uint8_t *sec_prot_lib_message_handle(uint8_t *ptk, uint16_t *kde_len, eapol_pdu_ uint8_t *kde = ns_dyn_mem_temporary_alloc(key_data_len); *kde_len = key_data_len; - if (eapol_pdu->msg.key.key_information.encrypted_key_data) { - size_t output_len = eapol_pdu->msg.key.key_data_length; - if (nist_aes_key_wrap(0, &ptk[KEK_INDEX], 128, key_data, key_data_len, kde, &output_len) < 0 || output_len != (size_t) key_data_len - 8) { - tr_error("Decrypt failed"); - ns_dyn_mem_free(kde); - return NULL; + if (kde) { + if (eapol_pdu->msg.key.key_information.encrypted_key_data) { + size_t output_len = eapol_pdu->msg.key.key_data_length; + if (nist_aes_key_wrap(0, &ptk[KEK_INDEX], 128, key_data, key_data_len, kde, &output_len) < 0 || output_len != (size_t) key_data_len - 8) { + tr_error("Decrypt failed"); + ns_dyn_mem_free(kde); + return NULL; + } + *kde_len = output_len; + } else { + memcpy(kde, key_data, *kde_len); } - *kde_len = output_len; - } else { - memcpy(kde, key_data, *kde_len); + + return kde; } - return kde; + return NULL; } int8_t sec_prot_lib_gtk_read(uint8_t *kde, uint16_t kde_len, sec_prot_keys_t *sec_keys)