From 336869f05a2e30c5400f8f63947b378f37562a75 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 18 Oct 2015 19:08:09 +0300 Subject: [PATCH] nl80211: Avoid undefined behavior in pointer arithmetic Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen --- src/drivers/driver_nl80211_scan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/drivers/driver_nl80211_scan.c b/src/drivers/driver_nl80211_scan.c index eb894cc5b..966c3fb6b 100644 --- a/src/drivers/driver_nl80211_scan.c +++ b/src/drivers/driver_nl80211_scan.c @@ -448,8 +448,8 @@ const u8 * nl80211_get_ie(const u8 *ies, size_t ies_len, u8 ie) pos = ies; end = ies + ies_len; - while (pos + 1 < end) { - if (pos + 2 + pos[1] > end) + while (end - pos > 1) { + if (2 + pos[1] > end - pos) break; if (pos[0] == ie) return pos;