Make radius_msg_add_attr_user_password() easier for static analyzers

Explicitly validate data_len so that static analyzers do not get
confused about the padlen validation. This is not really needed, but it
makes the code a bit easier for static analyzers.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/radius/radius.c b/src/radius/radius.c
index 70754ef5dd7254fb4902f4a6f93a5dae8a0da3b2..fb03a2500043c89d54b9c59729097a906cd4131c 100644 (file)
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -1090,8 +1090,7 @@ radius_msg_add_attr_user_password(struct radius_msg *msg,
                                  const u8 *secret, size_t secret_len)
 {
        u8 buf[128];
-       int padlen, i;
-       size_t buf_len, pos;
+       size_t padlen, i, buf_len, pos;
        const u8 *addr[2];
        size_t len[2];
        u8 hash[16];
@@ -1103,7 +1102,7 @@ radius_msg_add_attr_user_password(struct radius_msg *msg,
        buf_len = data_len;
 
        padlen = data_len % 16;
-       if (padlen) {
+       if (padlen && data_len < sizeof(buf)) {
                padlen = 16 - padlen;
                os_memset(buf + data_len, 0, padlen);
                buf_len += padlen;