From: Jouni Malinen <j@w1.fi>
Date: Sun, 23 Nov 2014 16:55:06 +0000 (+0200)
Subject: HS 2.0: More explicit hs20_osu_icon_fetch() length validation
X-Git-Tag: hostap_2_4~1046
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c58c0ce86d7f81d456c0ab675adb47e42fd0bdb;p=thirdparty%2Fhostap.git

HS 2.0: More explicit hs20_osu_icon_fetch() length validation

The previous version was fine, but too much for some static analyzers to
understand as proper bounds checking. (CID 68122)

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wpa_supplicant/hs20_supplicant.c b/wpa_supplicant/hs20_supplicant.c
index 257aa6d11..a36e7cfc7 100644
--- a/wpa_supplicant/hs20_supplicant.c
+++ b/wpa_supplicant/hs20_supplicant.c
@@ -778,7 +778,7 @@ void hs20_osu_icon_fetch(struct wpa_supplicant *wpa_s)
 			num_providers--;
 			len = WPA_GET_LE16(pos);
 			pos += 2;
-			if (pos + len > end)
+			if (len > (unsigned int) (end - pos))
 				break;
 			hs20_osu_add_prov(wpa_s, bss, osu_ssid,
 					  osu_ssid_len, pos, len);