EAP-GPSK: Clean up CSuite_List length validation (CID 62854)

Use a local variable and size_t in length comparison to make this easier
for static analyzers to understand. In addition, set the return list and
list_len values at the end of the function, i.e., only in success case.
These do not change the actual behavior of the only caller for this
function, but clarifies what the helper function is doing.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_gpsk.c b/src/eap_peer/eap_gpsk.c
index 5b023c7933142e9b9eef7f72fe2a264643499ed6..3c9cbf4ad2c26f0fe80a5688082ab68209d4904a 100644 (file)
--- a/src/eap_peer/eap_gpsk.c
+++ b/src/eap_peer/eap_gpsk.c
@@ -236,6 +236,8 @@ static const u8 * eap_gpsk_process_csuite_list(struct eap_sm *sm,
                                               size_t *list_len,
                                               const u8 *pos, const u8 *end)
 {
+       size_t len;
+
        if (pos == NULL)
                return NULL;
 
@@ -243,23 +245,25 @@ static const u8 * eap_gpsk_process_csuite_list(struct eap_sm *sm,
                wpa_printf(MSG_DEBUG, "EAP-GPSK: Too short GPSK-1 packet");
                return NULL;
        }
-       *list_len = WPA_GET_BE16(pos);
+       len = WPA_GET_BE16(pos);
        pos += 2;
-       if (end - pos < (int) *list_len) {
+       if (len > (size_t) (end - pos)) {
                wpa_printf(MSG_DEBUG, "EAP-GPSK: CSuite_List overflow");
                return NULL;
        }
-       if (*list_len == 0 || (*list_len % sizeof(struct eap_gpsk_csuite))) {
+       if (len == 0 || (len % sizeof(struct eap_gpsk_csuite))) {
                wpa_printf(MSG_DEBUG, "EAP-GPSK: Invalid CSuite_List len %lu",
-                          (unsigned long) *list_len);
+                          (unsigned long) len);
                return NULL;
        }
-       *list = pos;
-       pos += *list_len;
 
-       if (eap_gpsk_select_csuite(sm, data, *list, *list_len) < 0)
+       if (eap_gpsk_select_csuite(sm, data, pos, len) < 0)
                return NULL;
 
+       *list = pos;
+       *list_len = len;
+       pos += len;
+
        return pos;
 }