The previous one based on pointer arithmetic was apparently too much for
some static analyzers (CID 68130).
Signed-off-by: Jouni Malinen <j@w1.fi>
/* multiple TFS Resp IE (assuming consecutive) */
u8 *tfsresp_ie_start = NULL;
u8 *tfsresp_ie_end = NULL;
+ size_t left;
if (len < 3)
return;
wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
frm[0], key_len_total);
- pos += 3 + key_len_total;
- if (pos > frm + len) {
+ left = len - 3;
+ if (key_len_total > left) {
wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field");
return;
}
+ pos += 3 + key_len_total;
while (pos - frm < len) {
u8 ie_len = *(pos + 1);
if (pos + 2 + ie_len > frm + len) {