From: Jouni Malinen <j@w1.fi>
Date: Sat, 11 Oct 2014 15:40:32 +0000 (+0300)
Subject: WFD: Use cleaner bounds checking for sub-element length field
X-Git-Tag: hostap_2_4~1349
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4debeb42a65c39638159b1a1b952e156f9c92940;p=thirdparty%2Fhostap.git

WFD: Use cleaner bounds checking for sub-element length field

Mark the variable as unsigned and make the length check use "len > end -
pos" version to makes this easier to understand for static analyzers
(CID 74155).

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wpa_supplicant/wifi_display.c b/wpa_supplicant/wifi_display.c
index 6dc41dec0..715b67729 100644
--- a/wpa_supplicant/wifi_display.c
+++ b/wpa_supplicant/wifi_display.c
@@ -271,7 +271,7 @@ int wifi_display_subelem_set_from_ies(struct wpa_global *global,
 {
 	int subelements[MAX_WFD_SUBELEMS] = {};
 	const u8 *pos, *end;
-	int len, subelem;
+	unsigned int len, subelem;
 	struct wpabuf *e;
 
 	wpa_printf(MSG_DEBUG, "WFD IEs set: %p - %lu",
@@ -292,7 +292,7 @@ int wifi_display_subelem_set_from_ies(struct wpa_global *global,
 		wpa_printf(MSG_DEBUG, "WFD Sub-Element ID %d - len %d",
 			   *pos, len - 3);
 
-		if (pos + len > end)
+		if (len > end - pos)
 			break;
 
 		subelem = *pos;