From 78c8ee488f0676b19daeda14a137ded9c56c1d8b Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 18 Oct 2015 19:07:52 +0300 Subject: [PATCH] ndis: Avoid undefined behavior in pointer arithmetic Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen --- src/drivers/driver_ndis.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/drivers/driver_ndis.c b/src/drivers/driver_ndis.c index 669f1b813..fd32134c7 100644 --- a/src/drivers/driver_ndis.c +++ b/src/drivers/driver_ndis.c @@ -785,8 +785,8 @@ static const u8 * wpa_scan_get_ie(const struct wpa_scan_res *res, u8 ie) pos = (const u8 *) (res + 1); end = pos + res->ie_len; - while (pos + 1 < end) { - if (pos + 2 + pos[1] > end) + while (end - pos > 1) { + if (2 + pos[1] > end - pos) break; if (pos[0] == ie) return pos;