diff --git a/wpa_supplicant/hs20_supplicant.c b/wpa_supplicant/hs20_supplicant.c
index 3bf777e6a..de350bbb4 100644
--- a/wpa_supplicant/hs20_supplicant.c
+++ b/wpa_supplicant/hs20_supplicant.c
@@ -901,14 +901,25 @@ static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
 	/* OSU Friendly Name Duples */
 	while (pos - pos2 >= 4 && prov->friendly_name_count < OSU_MAX_ITEMS) {
 		struct osu_lang_string *f;
-		if (1 + pos2[0] > pos - pos2 || pos2[0] < 3) {
+		u8 slen;
+
+		slen = pos2[0];
+		if (1 + slen > pos - pos2) {
 			wpa_printf(MSG_DEBUG, "Invalid OSU Friendly Name");
 			break;
 		}
+		if (slen < 3) {
+			wpa_printf(MSG_DEBUG,
+				   "Invalid OSU Friendly Name (no room for language)");
+			break;
+		}
 		f = &prov->friendly_name[prov->friendly_name_count++];
-		os_memcpy(f->lang, pos2 + 1, 3);
-		os_memcpy(f->text, pos2 + 1 + 3, pos2[0] - 3);
-		pos2 += 1 + pos2[0];
+		pos2++;
+		os_memcpy(f->lang, pos2, 3);
+		pos2 += 3;
+		slen -= 3;
+		os_memcpy(f->text, pos2, slen);
+		pos2 += slen;
 	}
 
 	/* OSU Server URI */