aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/hs20_supplicant.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-11-23 18:04:29 (GMT)
committerJouni Malinen <j@w1.fi>2014-11-23 19:03:40 (GMT)
commit355e17eb1be496f20f18da8583e0985474d4a7d5 (patch)
tree6cf6e55919b86f4a1f52d30323fc8b6899031d7f /wpa_supplicant/hs20_supplicant.c
parent5c58c0ce86d7f81d456c0ab675adb47e42fd0bdb (diff)
downloadhostap-355e17eb1be496f20f18da8583e0985474d4a7d5.zip
hostap-355e17eb1be496f20f18da8583e0985474d4a7d5.tar.gz
hostap-355e17eb1be496f20f18da8583e0985474d4a7d5.tar.bz2
HS 2.0: Clarify OSU Server URI length validation
The previous version was valid, but apparently too complex for some static analyzers. Use a local variable for uri_len and explicitly compare it against the remaining buffer length. (CID 68121) Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/hs20_supplicant.c')
-rw-r--r--wpa_supplicant/hs20_supplicant.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/wpa_supplicant/hs20_supplicant.c b/wpa_supplicant/hs20_supplicant.c
index a36e7cf..315fa28 100644
--- a/wpa_supplicant/hs20_supplicant.c
+++ b/wpa_supplicant/hs20_supplicant.c
@@ -562,6 +562,7 @@ static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
const u8 *end = pos + len;
u16 len2;
const u8 *pos2;
+ u8 uri_len;
wpa_hexdump(MSG_DEBUG, "HS 2.0: Parsing OSU Provider", pos, len);
prov = os_realloc_array(wpa_s->osu_prov,
@@ -607,13 +608,19 @@ static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
}
/* OSU Server URI */
- if (pos + 1 > end || pos + 1 + pos[0] > end) {
+ if (pos + 1 > end) {
+ wpa_printf(MSG_DEBUG,
+ "HS 2.0: Not enough room for OSU Server URI length");
+ return;
+ }
+ uri_len = *pos++;
+ if (uri_len > end - pos) {
wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU Server "
"URI");
return;
}
- os_memcpy(prov->server_uri, pos + 1, pos[0]);
- pos += 1 + pos[0];
+ os_memcpy(prov->server_uri, pos, uri_len);
+ pos += uri_len;
/* OSU Method list */
if (pos + 1 > end || pos + 1 + pos[0] > end) {