aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/interworking.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-12-06 16:51:23 (GMT)
committerJouni Malinen <j@w1.fi>2014-12-06 17:25:14 (GMT)
commitd84416a2af92b7f60089f04670691372c4f5fea2 (patch)
tree92fc3a4271562f0e0ce8b35830dd0375b0df4232 /wpa_supplicant/interworking.c
parent7d043641044566f08e059774caab50fc93290dcf (diff)
downloadhostap-d84416a2af92b7f60089f04670691372c4f5fea2.zip
hostap-d84416a2af92b7f60089f04670691372c4f5fea2.tar.gz
hostap-d84416a2af92b7f60089f04670691372c4f5fea2.tar.bz2
Interworking: Make bounds checking easier for static analyzers
'num * 5 > end - pos' handles bounds checking a bit more efficiently, but apparently that is not clear enough for all static analyzers. Replace with 'num > left / 5' to avoid false reports. (CID 68117) Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/interworking.c')
-rw-r--r--wpa_supplicant/interworking.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index a22c863..8c4ea34 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -508,20 +508,25 @@ static struct nai_realm * nai_realm_parse(struct wpabuf *anqp, u16 *count)
struct nai_realm *realm;
const u8 *pos, *end;
u16 i, num;
+ size_t left;
- if (anqp == NULL || wpabuf_len(anqp) < 2)
+ if (anqp == NULL)
+ return NULL;
+ left = wpabuf_len(anqp);
+ if (left < 2)
return NULL;
pos = wpabuf_head_u8(anqp);
- end = pos + wpabuf_len(anqp);
+ end = pos + left;
num = WPA_GET_LE16(pos);
wpa_printf(MSG_DEBUG, "NAI Realm Count: %u", num);
pos += 2;
+ left -= 2;
- if (num * 5 > end - pos) {
+ if (num > left / 5) {
wpa_printf(MSG_DEBUG, "Invalid NAI Realm Count %u - not "
"enough data (%u octets) for that many realms",
- num, (unsigned int) (end - pos));
+ num, (unsigned int) left);
return NULL;
}