]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7687437)
WNM: Use a clearer validation step for key_len_total
authorJouni Malinen <j@w1.fi>
Sun, 23 Nov 2014 16:04:02 +0000 (18:04 +0200)
committerJouni Malinen <j@w1.fi>
Sun, 23 Nov 2014 16:04:02 +0000 (18:04 +0200)
The previous one based on pointer arithmetic was apparently too much for
some static analyzers (CID 68130).

Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant/wnm_sta.c patch | blob | blame | history

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index a4743eb1ef3c534a14b93caa1b0e31254ad9c641..424c634a59d3ca1fc49104ab1050e9ab0dcdd02e 100644 (file)
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -245,6 +245,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
        /* multiple TFS Resp IE (assuming consecutive) */
        u8 *tfsresp_ie_start = NULL;
        u8 *tfsresp_ie_end = NULL;
+       size_t left;
 
        if (len < 3)
                return;
@@ -252,11 +253,12 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
 
        wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
                   frm[0], key_len_total);
-       pos += 3 + key_len_total;
-       if (pos > frm + len) {
+       left = len - 3;
+       if (key_len_total > left) {
                wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field");
                return;
        }
+       pos += 3 + key_len_total;
        while (pos - frm < len) {
                u8 ie_len = *(pos + 1);
                if (pos + 2 + ie_len > frm + len) {
Unnamed repository; edit this file 'description' to name the repository.