jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

GAS: Clean up Query Response length validation

Browse source 
Previous version was correct, but apparently too complex for some static
analyzers. (CID 68119)

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-11-23 20:13:09 +02:00
parent 355e17eb1b
commit 5d017065a0
1 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
wpa_supplicant/gas_query.c
View file

@ -442,6 +442,7 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
u16 comeback_delay, resp_len;
const u8 *pos, *adv_proto;
int prot, pmf;
unsigned int left;
if (gas == NULL || len < 4)
return -1;
@ -543,17 +544,17 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
resp_len = WPA_GET_LE16(pos);
pos += 2;
if (pos + resp_len > data + len) {
left = data + len - pos;
if (resp_len > left) {
wpa_printf(MSG_DEBUG, "GAS: Truncated Query Response in "
"response from " MACSTR, MAC2STR(sa));
return 0;
}
if (pos + resp_len < data + len) {
if (resp_len < left) {
wpa_printf(MSG_DEBUG, "GAS: Ignore %u octets of extra data "
"after Query Response from " MACSTR,
(unsigned int) (data + len - pos - resp_len),
MAC2STR(sa));
left - resp_len, MAC2STR(sa));
}
if (action == WLAN_PA_GAS_COMEBACK_RESP)