WPA: Use more explicit WPA/RSN selector count validation

Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index bea915c24da1cb93836ff1ecb2a16ccff9c788e7..340e505fdbd35aced358b1a7cd87cc21bb7a591b 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -510,7 +510,7 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
                count = WPA_GET_LE16(pos);
                pos += 2;
                left -= 2;
-               if (count == 0 || left < count * RSN_SELECTOR_LEN) {
+               if (count == 0 || count > left / RSN_SELECTOR_LEN) {
                        wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
                                   "count %u left %u", __func__, count, left);
                        return -4;
@@ -538,7 +538,7 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
                count = WPA_GET_LE16(pos);
                pos += 2;
                left -= 2;
-               if (count == 0 || left < count * RSN_SELECTOR_LEN) {
+               if (count == 0 || count > left / RSN_SELECTOR_LEN) {
                        wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
                                   "count %u left %u", __func__, count, left);
                        return -6;
@@ -688,7 +688,7 @@ int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
                count = WPA_GET_LE16(pos);
                pos += 2;
                left -= 2;
-               if (count == 0 || left < count * WPA_SELECTOR_LEN) {
+               if (count == 0 || count > left / WPA_SELECTOR_LEN) {
                        wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
                                   "count %u left %u", __func__, count, left);
                        return -4;
@@ -709,7 +709,7 @@ int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
                count = WPA_GET_LE16(pos);
                pos += 2;
                left -= 2;
-               if (count == 0 || left < count * WPA_SELECTOR_LEN) {
+               if (count == 0 || count > left / WPA_SELECTOR_LEN) {
                        wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
                                   "count %u left %u", __func__, count, left);
                        return -6;