From 43aee9489954094b0c3792661f9e1505f9e5cbfe Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 23 Nov 2014 17:13:47 +0200
Subject: [PATCH] Interworking: Clearer ANQP element length validation

The upper bound for the element length was already verified, but that
was not apparently noticed by a static analyzer (CID 68128).

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/interworking.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index 19b6e38da..a22c8634f 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -2808,7 +2808,9 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
 	end = pos + wpabuf_len(resp);
 
 	while (pos < end) {
-		if (pos + 4 > end) {
+		unsigned int left = end - pos;
+
+		if (left < 4) {
 			wpa_printf(MSG_DEBUG, "ANQP: Invalid element");
 			break;
 		}
@@ -2816,7 +2818,8 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
 		pos += 2;
 		slen = WPA_GET_LE16(pos);
 		pos += 2;
-		if (pos + slen > end) {
+		left -= 4;
+		if (left < slen) {
 			wpa_printf(MSG_DEBUG, "ANQP: Invalid element length "
 				   "for Info ID %u", info_id);
 			break;