From: Jouni Malinen <j@w1.fi>
Date: Sun, 23 Nov 2014 16:04:02 +0000 (+0200)
Subject: WNM: Use a clearer validation step for key_len_total
X-Git-Tag: hostap_2_4~1050
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fecc09edc30bf5f41fca94df0fe13c481fcebc86;p=thirdparty%2Fhostap.git

WNM: Use a clearer validation step for key_len_total

The previous one based on pointer arithmetic was apparently too much for
some static analyzers (CID 68130).

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index a4743eb1e..424c634a5 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -245,6 +245,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
 	/* multiple TFS Resp IE (assuming consecutive) */
 	u8 *tfsresp_ie_start = NULL;
 	u8 *tfsresp_ie_end = NULL;
+	size_t left;
 
 	if (len < 3)
 		return;
@@ -252,11 +253,12 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
 
 	wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
 		   frm[0], key_len_total);
-	pos += 3 + key_len_total;
-	if (pos > frm + len) {
+	left = len - 3;
+	if (key_len_total > left) {
 		wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field");
 		return;
 	}
+	pos += 3 + key_len_total;
 	while (pos - frm < len) {
 		u8 ie_len = *(pos + 1);
 		if (pos + 2 + ie_len > frm + len) {