From a5a2f252cb5b2813f146e036ae0adb0e5c02d35c Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 18 Oct 2015 18:40:41 +0300 Subject: [PATCH] AP: Avoid undefined behavior in pointer arithmetic in IE parsing Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen --- src/ap/beacon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ap/beacon.c b/src/ap/beacon.c index e5b52fa20..5f65b7dd1 100644 --- a/src/ap/beacon.c +++ b/src/ap/beacon.c @@ -553,8 +553,8 @@ static enum ssid_match_result ssid_match(struct hostapd_data *hapd, pos = ssid_list; end = ssid_list + ssid_list_len; - while (pos + 1 <= end) { - if (pos + 2 + pos[1] > end) + while (end - pos >= 1) { + if (2 + pos[1] > end - pos) break; if (pos[1] == 0) wildcard = 1;