jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Interworking: Clearer ANQP element length validation

Browse source 
The upper bound for the element length was already verified, but that
was not apparently noticed by a static analyzer (CID 68128).

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-23 17:13:47 +02:00
parent b81e274cdf
commit 43aee94899
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
wpa_supplicant/interworking.c
View file

@ -2808,7 +2808,9 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
end = pos + wpabuf_len(resp); end = pos + wpabuf_len(resp);
while (pos < end) { while (pos < end) {
if (pos + 4 > end) { unsigned int left = end - pos;
if (left < 4) {
wpa_printf(MSG_DEBUG, "ANQP: Invalid element"); wpa_printf(MSG_DEBUG, "ANQP: Invalid element");
break; break;
} }
@ -2816,7 +2818,8 @@ void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token,
pos += 2; pos += 2;
slen = WPA_GET_LE16(pos); slen = WPA_GET_LE16(pos);
pos += 2; pos += 2;
if (pos + slen > end) { left -= 4;
if (left < slen) {
wpa_printf(MSG_DEBUG, "ANQP: Invalid element length " wpa_printf(MSG_DEBUG, "ANQP: Invalid element length "
"for Info ID %u", info_id); "for Info ID %u", info_id);
break; break;