Interworking: Clearer ANQP element length validation

The upper bound for the element length was already verified, but that
was not apparently noticed by a static analyzer (CID 68128).

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index 19b6e38da552dc327188ff8729cf73f94a519f20..a22c8634fd52ccb8cf746466bb9e52a46de59c9e 100644 (file)
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -2808,7 +2808,9 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
        end = pos + wpabuf_len(resp);
 
        while (pos < end) {
-               if (pos + 4 > end) {
+               unsigned int left = end - pos;
+
+               if (left < 4) {
                        wpa_printf(MSG_DEBUG, "ANQP: Invalid element");
                        break;
                }
@@ -2816,7 +2818,8 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
                pos += 2;
                slen = WPA_GET_LE16(pos);
                pos += 2;
-               if (pos + slen > end) {
+               left -= 4;
+               if (left < slen) {
                        wpa_printf(MSG_DEBUG, "ANQP: Invalid element length "
                                   "for Info ID %u", info_id);
                        break;