This patch correctly checks, if enough data bytes for parsing IEs are
present (-2 in check for type and length). Furthermore, it adds a
nullptr and length check to ease future fuzzing.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20200209165902.44110-3-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
.ie = ie,
.ielen = ielen };
- while (ielen >= 2 && ielen >= ie[1]) {
+ if (ie == NULL || ielen < 0)
+ return;
+
+ while (ielen >= 2 && ielen - 2 >= ie[1]) {
if (ie[0] < ARRAY_SIZE(ieprinters) &&
ieprinters[ie[0]].name &&
ieprinters[ie[0]].flags & BIT(ptype)) {