UBSan: Avoid size_t variable overflow in control interface

The loop "if (i-- == 0) break" style construction works in practice fine
since the check against 0 is done before decrementation. However, this
hits an UBSan warning, so split that decrementation to happen as a
separate step after the check and break from the loop.

ctrl_iface.c:5086:9: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 80f2d080eef5c05954d09ee8b8db5b8da0eaed0d..013d05cb382116328cac0dc597056586ef133236 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5083,10 +5083,11 @@ static int wpa_supplicant_ctrl_iface_bss(struct wpa_supplicant *wpa_s,
                bss = NULL;
                dl_list_for_each(tmp, &wpa_s->bss_id, struct wpa_bss, list_id)
                {
-                       if (i-- == 0) {
+                       if (i == 0) {
                                bss = tmp;
                                break;
                        }
+                       i--;
                }
        }