privsep: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/drivers/driver_privsep.c b/src/drivers/driver_privsep.c
index 1f1676a20ac5868f68b4e13f66a360da53c70593..762c12ff4c06d434792b3bfdaf28e06c97931fc3 100644 (file)
--- a/src/drivers/driver_privsep.c
+++ b/src/drivers/driver_privsep.c
@@ -161,11 +161,11 @@ wpa_driver_privsep_get_scan_results2(void *priv)
                return NULL;
        }
 
-       while (results->num < (size_t) num && pos + sizeof(int) < end) {
+       while (results->num < (size_t) num && end - pos > sizeof(int)) {
                int len;
                os_memcpy(&len, pos, sizeof(int));
                pos += sizeof(int);
-               if (len < 0 || len > 10000 || pos + len > end)
+               if (len < 0 || len > 10000 || len > end - pos)
                        break;
 
                r = os_malloc(len);