aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/interworking.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-11-23 15:13:47 (GMT)
committerJouni Malinen <j@w1.fi>2014-11-23 15:41:13 (GMT)
commit43aee9489954094b0c3792661f9e1505f9e5cbfe (patch)
treed8dc526b72b8955f5516272f1a3645b3a98b070a /wpa_supplicant/interworking.c
parentb81e274cdf72a0a21ba44572775db4072d8cad2a (diff)
downloadhostap-43aee9489954094b0c3792661f9e1505f9e5cbfe.zip
hostap-43aee9489954094b0c3792661f9e1505f9e5cbfe.tar.gz
hostap-43aee9489954094b0c3792661f9e1505f9e5cbfe.tar.bz2
Interworking: Clearer ANQP element length validation
The upper bound for the element length was already verified, but that was not apparently noticed by a static analyzer (CID 68128). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/interworking.c')
-rw-r--r--wpa_supplicant/interworking.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index 19b6e38..a22c863 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -2808,7 +2808,9 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
end = pos + wpabuf_len(resp);
while (pos < end) {
- if (pos + 4 > end) {
+ unsigned int left = end - pos;
+
+ if (left < 4) {
wpa_printf(MSG_DEBUG, "ANQP: Invalid element");
break;
}
@@ -2816,7 +2818,8 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
pos += 2;
slen = WPA_GET_LE16(pos);
pos += 2;
- if (pos + slen > end) {
+ left -= 4;
+ if (left < slen) {
wpa_printf(MSG_DEBUG, "ANQP: Invalid element length "
"for Info ID %u", info_id);
break;