aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wnm_sta.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-11-23 16:04:02 (GMT)
committerJouni Malinen <j@w1.fi>2014-11-23 16:04:02 (GMT)
commitfecc09edc30bf5f41fca94df0fe13c481fcebc86 (patch)
treee8015ffd5647dd3d7220c6da6c6cc4a17b6463a9 /wpa_supplicant/wnm_sta.c
parent76874379d35d854b433243dbd6c6e8ff6a051da0 (diff)
downloadhostap-fecc09edc30bf5f41fca94df0fe13c481fcebc86.zip
hostap-fecc09edc30bf5f41fca94df0fe13c481fcebc86.tar.gz
hostap-fecc09edc30bf5f41fca94df0fe13c481fcebc86.tar.bz2
WNM: Use a clearer validation step for key_len_total
The previous one based on pointer arithmetic was apparently too much for some static analyzers (CID 68130). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wnm_sta.c')
-rw-r--r--wpa_supplicant/wnm_sta.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index a4743eb..424c634 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -245,6 +245,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
/* multiple TFS Resp IE (assuming consecutive) */
u8 *tfsresp_ie_start = NULL;
u8 *tfsresp_ie_end = NULL;
+ size_t left;
if (len < 3)
return;
@@ -252,11 +253,12 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
frm[0], key_len_total);
- pos += 3 + key_len_total;
- if (pos > frm + len) {
+ left = len - 3;
+ if (key_len_total > left) {
wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field");
return;
}
+ pos += 3 + key_len_total;
while (pos - frm < len) {
u8 ie_len = *(pos + 1);
if (pos + 2 + ie_len > frm + len) {