From 5d017065a0d5e94244f85bb1930560c31733d43d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 23 Nov 2014 20:13:09 +0200 Subject: [PATCH] GAS: Clean up Query Response length validation Previous version was correct, but apparently too complex for some static analyzers. (CID 68119) Signed-off-by: Jouni Malinen --- wpa_supplicant/gas_query.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c index 3a89674fa..10ecce7b4 100644 --- a/wpa_supplicant/gas_query.c +++ b/wpa_supplicant/gas_query.c @@ -442,6 +442,7 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa, u16 comeback_delay, resp_len; const u8 *pos, *adv_proto; int prot, pmf; + unsigned int left; if (gas == NULL || len < 4) return -1; @@ -543,17 +544,17 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa, resp_len = WPA_GET_LE16(pos); pos += 2; - if (pos + resp_len > data + len) { + left = data + len - pos; + if (resp_len > left) { wpa_printf(MSG_DEBUG, "GAS: Truncated Query Response in " "response from " MACSTR, MAC2STR(sa)); return 0; } - if (pos + resp_len < data + len) { + if (resp_len < left) { wpa_printf(MSG_DEBUG, "GAS: Ignore %u octets of extra data " "after Query Response from " MACSTR, - (unsigned int) (data + len - pos - resp_len), - MAC2STR(sa)); + left - resp_len, MAC2STR(sa)); } if (action == WLAN_PA_GAS_COMEBACK_RESP)