aboutsummaryrefslogtreecommitdiffstats
path: root/src/wps
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-10-17 22:42:03 (GMT)
committerJouni Malinen <j@w1.fi>2015-10-18 08:37:47 (GMT)
commit625745c297eff3db1c01bdb7d963ca24b3fca1d7 (patch)
treeaacd02337173f71d4440304466daa6971b67eab5 /src/wps
parentbf0ec17a51cb9415522a513d81d6fc52d62189b5 (diff)
downloadhostap-625745c297eff3db1c01bdb7d963ca24b3fca1d7.zip
hostap-625745c297eff3db1c01bdb7d963ca24b3fca1d7.tar.gz
hostap-625745c297eff3db1c01bdb7d963ca24b3fca1d7.tar.bz2
WPS: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/wps')
-rw-r--r--src/wps/wps_attr_parse.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/wps/wps_attr_parse.c b/src/wps/wps_attr_parse.c
index 11a967b..756d57e 100644
--- a/src/wps/wps_attr_parse.c
+++ b/src/wps/wps_attr_parse.c
@@ -83,10 +83,10 @@ static int wps_parse_vendor_ext_wfa(struct wps_parse_attr *attr, const u8 *pos,
const u8 *end = pos + len;
u8 id, elen;
- while (pos + 2 <= end) {
+ while (end - pos >= 2) {
id = *pos++;
elen = *pos++;
- if (pos + elen > end)
+ if (elen > end - pos)
break;
if (wps_set_vendor_ext_wfa_subelem(attr, id, elen, pos) < 0)
return -1;