WPS: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/wps/wps_attr_parse.c b/src/wps/wps_attr_parse.c
index 11a967ba0ef182f2a7ddc882b160f7425f6d5d50..756d57e876c55186fc3c5097854f220c0f2046b8 100644 (file)
--- a/src/wps/wps_attr_parse.c
+++ b/src/wps/wps_attr_parse.c
@@ -83,10 +83,10 @@ static int wps_parse_vendor_ext_wfa(struct wps_parse_attr *attr, const u8 *pos,
        const u8 *end = pos + len;
        u8 id, elen;
 
-       while (pos + 2 <= end) {
+       while (end - pos >= 2) {
                id = *pos++;
                elen = *pos++;
-               if (pos + elen > end)
+               if (elen > end - pos)
                        break;
                if (wps_set_vendor_ext_wfa_subelem(attr, id, elen, pos) < 0)
                        return -1;