WNM: Try to make bounds checking easier for static analyzers

The length of the URL, i.e., pos[0], is verified here to be within the
bounds of the recieved message, but that seemed to be done in a manner
that might bee too complex for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 96160dccbf5b38e85d7b6b238cb1a72e86e7a3aa..0a4b9d47483ca7fe2e49aff0d86e18933486b5e3 100644 (file)
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -1453,15 +1453,22 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
 
        if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT) {
                char url[256];
+               u8 url_len;
 
-               if (end - pos < 1 || 1 + pos[0] > end - pos) {
+               if (end - pos < 1) {
                        wpa_printf(MSG_DEBUG, "WNM: Invalid BSS Transition "
                                   "Management Request (URL)");
                        return;
                }
-               os_memcpy(url, pos + 1, pos[0]);
-               url[pos[0]] = '\0';
-               pos += 1 + pos[0];
+               url_len = *pos++;
+               if (url_len > end - pos) {
+                       wpa_printf(MSG_DEBUG,
+                                  "WNM: Invalid BSS Transition Management Request (URL truncated)");
+                       return;
+               }
+               os_memcpy(url, pos, url_len);
+               url[url_len] = '\0';
+               pos += url_len;
 
                wpa_msg(wpa_s, MSG_INFO, ESS_DISASSOC_IMMINENT "%d %u %s",
                        wpa_sm_pmf_enabled(wpa_s->wpa),