From 5c58c0ce86d7f81d456c0ab675adb47e42fd0bdb Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 23 Nov 2014 18:55:06 +0200 Subject: [PATCH] HS 2.0: More explicit hs20_osu_icon_fetch() length validation The previous version was fine, but too much for some static analyzers to understand as proper bounds checking. (CID 68122) Signed-off-by: Jouni Malinen --- wpa_supplicant/hs20_supplicant.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wpa_supplicant/hs20_supplicant.c b/wpa_supplicant/hs20_supplicant.c index 257aa6d11..a36e7cfc7 100644 --- a/wpa_supplicant/hs20_supplicant.c +++ b/wpa_supplicant/hs20_supplicant.c @@ -778,7 +778,7 @@ void hs20_osu_icon_fetch(struct wpa_supplicant *wpa_s) num_providers--; len = WPA_GET_LE16(pos); pos += 2; - if (pos + len > end) + if (len > (unsigned int) (end - pos)) break; hs20_osu_add_prov(wpa_s, bss, osu_ssid, osu_ssid_len, pos, len);