From 22c06de911dfa3e3459817f87f19722d04386819 Mon Sep 17 00:00:00 2001
From: Brian Norris <briannorris@chromium.org>
Date: Wed, 19 Aug 2020 12:44:46 -0700
Subject: [PATCH] wlantest: Avoid heap-overflow on unexpected data

We're doing a sort of bounds check, based on the previous loop, but only
after we've already tried to read off the end.

This squashes some ASAN errors I'm seeing when running the ap_ft hwsim
test module.

Signed-off-by: Brian Norris <briannorris@chromium.org>
---
 wlantest/rx_eapol.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wlantest/rx_eapol.c b/wlantest/rx_eapol.c
index d75ed92ba..44388fdda 100644
--- a/wlantest/rx_eapol.c
+++ b/wlantest/rx_eapol.c
@@ -722,8 +722,8 @@ static void rx_data_eapol_key_3_of_4(struct wlantest *wt, const u8 *dst,
 			}
 			p += 2 + p[1];
 		}
-		if (p && p > decrypted && *p == 0xdd &&
-		    p + 1 == decrypted + decrypted_len) {
+		if (p && p > decrypted && p + 1 == decrypted + decrypted_len &&
+		    *p == 0xdd) {
 			/* Remove padding */
 			p--;
 			plain_len = p - decrypted;