From: Jouni Malinen <j@w1.fi>
Date: Sun, 18 Oct 2015 16:07:52 +0000 (+0300)
Subject: ndis: Avoid undefined behavior in pointer arithmetic
X-Git-Tag: hostap_2_6~1466
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78c8ee488f0676b19daeda14a137ded9c56c1d8b;p=thirdparty%2Fhostap.git

ndis: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c
index 669f1b813..fd32134c7 100644
--- a/src/drivers/driver_ndis.c
+++ b/src/drivers/driver_ndis.c
@@ -785,8 +785,8 @@ static const u8 * wpa_scan_get_ie(const struct wpa_scan_res *res, u8 ie)
 	pos = (const u8 *) (res + 1);
 	end = pos + res->ie_len;
 
-	while (pos + 1 < end) {
-		if (pos + 2 + pos[1] > end)
+	while (end - pos > 1) {
+		if (2 + pos[1] > end - pos)
 			break;
 		if (pos[0] == ie)
 			return pos;