Interworking: Make bounds checking easier for static analyzers

'num * 5 > end - pos' handles bounds checking a bit more efficiently,
but apparently that is not clear enough for all static analyzers.
Replace with 'num > left / 5' to avoid false reports. (CID 68117)

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index a22c8634fd52ccb8cf746466bb9e52a46de59c9e..8c4ea3468dbd8bf198748b1cd569bf08d0b42a45 100644 (file)
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -508,20 +508,25 @@ static struct nai_realm * nai_realm_parse(struct wpabuf *anqp, u16 *count)
        struct nai_realm *realm;
        const u8 *pos, *end;
        u16 i, num;
+       size_t left;
 
-       if (anqp == NULL || wpabuf_len(anqp) < 2)
+       if (anqp == NULL)
+               return NULL;
+       left = wpabuf_len(anqp);
+       if (left < 2)
                return NULL;
 
        pos = wpabuf_head_u8(anqp);
-       end = pos + wpabuf_len(anqp);
+       end = pos + left;
        num = WPA_GET_LE16(pos);
        wpa_printf(MSG_DEBUG, "NAI Realm Count: %u", num);
        pos += 2;
+       left -= 2;
 
-       if (num * 5 > end - pos) {
+       if (num > left / 5) {
                wpa_printf(MSG_DEBUG, "Invalid NAI Realm Count %u - not "
                           "enough data (%u octets) for that many realms",
-                          num, (unsigned int) (end - pos));
+                          num, (unsigned int) left);
                return NULL;
        }