From: Jouni Malinen <j@w1.fi>
Date: Sat, 17 Oct 2015 22:42:03 +0000 (+0300)
Subject: WPS: Avoid undefined behavior in pointer arithmetic
X-Git-Tag: hostap_2_6~1490
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=625745c297eff3db1c01bdb7d963ca24b3fca1d7;p=thirdparty%2Fhostap.git

WPS: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/wps/wps_attr_parse.c b/src/wps/wps_attr_parse.c
index 11a967ba0..756d57e87 100644
--- a/src/wps/wps_attr_parse.c
+++ b/src/wps/wps_attr_parse.c
@@ -83,10 +83,10 @@ static int wps_parse_vendor_ext_wfa(struct wps_parse_attr *attr, const u8 *pos,
 	const u8 *end = pos + len;
 	u8 id, elen;
 
-	while (pos + 2 <= end) {
+	while (end - pos >= 2) {
 		id = *pos++;
 		elen = *pos++;
-		if (pos + elen > end)
+		if (elen > end - pos)
 			break;
 		if (wps_set_vendor_ext_wfa_subelem(attr, id, elen, pos) < 0)
 			return -1;