From 4debeb42a65c39638159b1a1b952e156f9c92940 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 11 Oct 2014 18:40:32 +0300
Subject: [PATCH] WFD: Use cleaner bounds checking for sub-element length field

Mark the variable as unsigned and make the length check use "len > end -
pos" version to makes this easier to understand for static analyzers
(CID 74155).

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/wifi_display.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/wifi_display.c b/wpa_supplicant/wifi_display.c
index 6dc41dec0..715b67729 100644
--- a/wpa_supplicant/wifi_display.c
+++ b/wpa_supplicant/wifi_display.c
@@ -271,7 +271,7 @@ int wifi_display_subelem_set_from_ies(struct wpa_global *global,
 {
 	int subelements[MAX_WFD_SUBELEMS] = {};
 	const u8 *pos, *end;
-	int len, subelem;
+	unsigned int len, subelem;
 	struct wpabuf *e;
 
 	wpa_printf(MSG_DEBUG, "WFD IEs set: %p - %lu",
@@ -292,7 +292,7 @@ int wifi_display_subelem_set_from_ies(struct wpa_global *global,
 		wpa_printf(MSG_DEBUG, "WFD Sub-Element ID %d - len %d",
 			   *pos, len - 3);
 
-		if (pos + len > end)
+		if (len > end - pos)
 			break;
 
 		subelem = *pos;