RNR: Silence static analyzer warnings

The !tbtt_count check seemed to be too complex for static analyzers to
understand that len and total_len have been incremented by at least
RNR_TBTT_HEADER_LEN. Silence the incorrect warning about interget
overflow with explicit checks.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 01e07d5cfc772d7dd6ae9cea0ba9b3f8b25866d1..9a4869199b5c5e5924e7d139ff0e22cbee63eea1 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -7861,7 +7861,8 @@ repeat_rnr_len:
 
                /* If no TBTT was found, adjust the len and total_len since it
                 * would have incremented before we checked all BSSs. */
-               if (!tbtt_count) {
+               if (!tbtt_count && len >= RNR_TBTT_HEADER_LEN &&
+                   total_len >= RNR_TBTT_HEADER_LEN) {
                        len -= RNR_TBTT_HEADER_LEN;
                        total_len -= RNR_TBTT_HEADER_LEN;
                }
@@ -7871,7 +7872,8 @@ repeat_rnr_len:
 
        /* This is possible when in the re-built case and no suitable TBTT was
         * found. Adjust the length accordingly. */
-       if (!tbtt_count && total_tbtt_count) {
+       if (!tbtt_count && total_tbtt_count && len >= RNR_TBTT_HEADER_LEN &&
+           total_len >= RNR_TBTT_HEADER_LEN) {
                len -= RNR_TBTT_HEADER_LEN;
                total_len -= RNR_TBTT_HEADER_LEN;
        }