diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c index 19b6e38da..a22c8634f 100644 --- a/wpa_supplicant/interworking.c +++ b/wpa_supplicant/interworking.c @@ -2808,7 +2808,9 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token, end = pos + wpabuf_len(resp); while (pos < end) { - if (pos + 4 > end) { + unsigned int left = end - pos; + + if (left < 4) { wpa_printf(MSG_DEBUG, "ANQP: Invalid element"); break; } @@ -2816,7 +2818,8 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token, pos += 2; slen = WPA_GET_LE16(pos); pos += 2; - if (pos + slen > end) { + left -= 4; + if (left < slen) { wpa_printf(MSG_DEBUG, "ANQP: Invalid element length " "for Info ID %u", info_id); break;