From: Jouni Malinen <j@w1.fi>
Date: Sun, 18 Oct 2015 16:08:09 +0000 (+0300)
Subject: nl80211: Avoid undefined behavior in pointer arithmetic
X-Git-Tag: hostap_2_6~1465
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=336869f05a2e30c5400f8f63947b378f37562a75;p=thirdparty%2Fhostap.git

nl80211: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/drivers/driver_nl80211_scan.c b/src/drivers/driver_nl80211_scan.c
index eb894cc5b..966c3fb6b 100644
--- a/src/drivers/driver_nl80211_scan.c
+++ b/src/drivers/driver_nl80211_scan.c
@@ -448,8 +448,8 @@ const u8 * nl80211_get_ie(const u8 *ies, size_t ies_len, u8 ie)
 	pos = ies;
 	end = ies + ies_len;
 
-	while (pos + 1 < end) {
-		if (pos + 2 + pos[1] > end)
+	while (end - pos > 1) {
+		if (2 + pos[1] > end - pos)
 			break;
 		if (pos[0] == ie)
 			return pos;