HS 2.0: Clarify OSU Friendly Name length validation

This extends the changes in commit 0570a3ea7d87 ("HS 2.0: Clarify OSU
Provider list length validation") to cover the length field for the OSU
Friendly Name value to try to get this easier for static analyzers to
understand.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/hs20_supplicant.c b/wpa_supplicant/hs20_supplicant.c
index 3bf777e6aa13546ec2e39e3fc87bde260fbb5507..de350bbb4f5e5a1cf04cdcea873315d7c46de815 100644 (file)
--- a/wpa_supplicant/hs20_supplicant.c
+++ b/wpa_supplicant/hs20_supplicant.c
@@ -901,14 +901,25 @@ static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
        /* OSU Friendly Name Duples */
        while (pos - pos2 >= 4 && prov->friendly_name_count < OSU_MAX_ITEMS) {
                struct osu_lang_string *f;
-               if (1 + pos2[0] > pos - pos2 || pos2[0] < 3) {
+               u8 slen;
+
+               slen = pos2[0];
+               if (1 + slen > pos - pos2) {
                        wpa_printf(MSG_DEBUG, "Invalid OSU Friendly Name");
                        break;
                }
+               if (slen < 3) {
+                       wpa_printf(MSG_DEBUG,
+                                  "Invalid OSU Friendly Name (no room for language)");
+                       break;
+               }
                f = &prov->friendly_name[prov->friendly_name_count++];
-               os_memcpy(f->lang, pos2 + 1, 3);
-               os_memcpy(f->text, pos2 + 1 + 3, pos2[0] - 3);
-               pos2 += 1 + pos2[0];
+               pos2++;
+               os_memcpy(f->lang, pos2, 3);
+               pos2 += 3;
+               slen -= 3;
+               os_memcpy(f->text, pos2, slen);
+               pos2 += slen;
        }
 
        /* OSU Server URI */