GAS server: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/gas_serv.c b/src/ap/gas_serv.c
index c11977fd58a96be4076e5a9c234351fd92a61e75..4bcdf6f92cd700be796ad8a091663c862748baae 100644 (file)
--- a/src/ap/gas_serv.c
+++ b/src/ap/gas_serv.c
@@ -401,7 +401,7 @@ static int hs20_add_nai_home_realm_matches(struct hostapd_data *hapd,
 
        pos = home_realm;
        end = pos + home_realm_len;
-       if (pos + 1 > end) {
+       if (end - pos < 1) {
                wpa_hexdump(MSG_DEBUG, "Too short NAI Home Realm Query",
                            home_realm, home_realm_len);
                return -1;
@@ -409,7 +409,7 @@ static int hs20_add_nai_home_realm_matches(struct hostapd_data *hapd,
        num_realms = *pos++;
 
        for (i = 0; i < num_realms && num_matching < 10; i++) {
-               if (pos + 2 > end) {
+               if (end - pos < 2) {
                        wpa_hexdump(MSG_DEBUG,
                                    "Truncated NAI Home Realm Query",
                                    home_realm, home_realm_len);
@@ -417,7 +417,7 @@ static int hs20_add_nai_home_realm_matches(struct hostapd_data *hapd,
                }
                encoding = *pos++;
                realm_len = *pos++;
-               if (pos + realm_len > end) {
+               if (realm_len > end - pos) {
                        wpa_hexdump(MSG_DEBUG,
                                    "Truncated NAI Home Realm Query",
                                    home_realm, home_realm_len);
@@ -991,7 +991,7 @@ static void rx_anqp_query_list(struct hostapd_data *hapd,
        wpa_printf(MSG_DEBUG, "ANQP: %u Info IDs requested in Query list",
                   (unsigned int) (end - pos) / 2);
 
-       while (pos + 2 <= end) {
+       while (end - pos >= 2) {
                rx_anqp_query_list_id(hapd, WPA_GET_LE16(pos), qi);
                pos += 2;
        }
@@ -1080,7 +1080,7 @@ static void rx_anqp_vendor_specific(struct hostapd_data *hapd,
        u32 oui;
        u8 subtype;
 
-       if (pos + 4 > end) {
+       if (end - pos < 4) {
                wpa_printf(MSG_DEBUG, "ANQP: Too short vendor specific ANQP "
                           "Query element");
                return;
@@ -1116,7 +1116,7 @@ static void rx_anqp_vendor_specific(struct hostapd_data *hapd,
        }
        pos++;
 
-       if (pos + 1 >= end)
+       if (end - pos <= 1)
                return;
 
        subtype = *pos++;
@@ -1244,12 +1244,12 @@ static void gas_serv_rx_gas_initial_req(struct hostapd_data *hapd,
        adv_proto = pos++;
 
        slen = *pos++;
-       next = pos + slen;
-       if (next > end || slen < 2) {
+       if (slen > end - pos || slen < 2) {
                wpa_msg(hapd->msg_ctx, MSG_DEBUG,
                        "GAS: Invalid IE in GAS Initial Request");
                return;
        }
+       next = pos + slen;
        pos++; /* skip QueryRespLenLimit and PAME-BI */
 
        if (*pos != ACCESS_NETWORK_QUERY_PROTOCOL) {
@@ -1276,11 +1276,11 @@ static void gas_serv_rx_gas_initial_req(struct hostapd_data *hapd,
 
        pos = next;
        /* Query Request */
-       if (pos + 2 > end)
+       if (end - pos < 2)
                return;
        slen = WPA_GET_LE16(pos);
        pos += 2;
-       if (pos + slen > end)
+       if (slen > end - pos)
                return;
        end = pos + slen;
 
@@ -1288,7 +1288,7 @@ static void gas_serv_rx_gas_initial_req(struct hostapd_data *hapd,
        while (pos < end) {
                u16 info_id, elen;
 
-               if (pos + 4 > end)
+               if (end - pos < 4)
                        return;
 
                info_id = WPA_GET_LE16(pos);
@@ -1296,7 +1296,7 @@ static void gas_serv_rx_gas_initial_req(struct hostapd_data *hapd,
                elen = WPA_GET_LE16(pos);
                pos += 2;
 
-               if (pos + elen > end) {
+               if (elen > end - pos) {
                        wpa_printf(MSG_DEBUG, "ANQP: Invalid Query Request");
                        return;
                }