FST: More robust bounds checking of local data in fst_dump_mb_ies()

Check the full MBIE length against the buffer length explicitly before
the debug print. This is for locally generated data, so the bounds
checking is not critical here, but it is better to use proper checking
anyway to avoid static analyzer complaints.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/fst/fst_group.c b/src/fst/fst_group.c
index d1c4014971b3aff2aa27ba3d18a0986541397635..255d0fdc9982befb3c131191c88f53c2839943a2 100644 (file)
--- a/src/fst/fst_group.c
+++ b/src/fst/fst_group.c
@@ -28,8 +28,13 @@ static void fst_dump_mb_ies(const char *group_id, const char *ifname,
        while (s >= 2) {
                const struct multi_band_ie *mbie =
                        (const struct multi_band_ie *) p;
+               size_t len;
+
                WPA_ASSERT(mbie->eid == WLAN_EID_MULTI_BAND);
                WPA_ASSERT(2U + mbie->len >= sizeof(*mbie));
+               len = 2 + mbie->len;
+               if (len > s)
+                       break;
 
                fst_printf(MSG_WARNING,
                           "%s: %s: mb_ctrl=%u band_id=%u op_class=%u chan=%u bssid="
@@ -45,8 +50,8 @@ static void fst_dump_mb_ies(const char *group_id, const char *ifname,
                           mbie->mb_connection_capability,
                           mbie->fst_session_tmout);
 
-               p += 2 + mbie->len;
-               s -= 2 + mbie->len;
+               p += len;
+               s -= len;
        }
 }