From f758ae76655301c08173b505db27deb407a2aca3 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 18 Oct 2015 12:11:45 +0300
Subject: [PATCH] P2P SD: Avoid undefined behavior in pointer arithmetic

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/p2p_supplicant_sd.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/wpa_supplicant/p2p_supplicant_sd.c b/wpa_supplicant/p2p_supplicant_sd.c
index fc07b0746..f8675e68b 100644
--- a/wpa_supplicant/p2p_supplicant_sd.c
+++ b/wpa_supplicant/p2p_supplicant_sd.c
@@ -48,7 +48,7 @@ static int p2p_sd_dns_uncompress_label(char **upos, char *uend, u8 *start,
 			u8 *spos_tmp;
 
 			/* Offset */
-			if (*spos + 2 > end) {
+			if (end - *spos < 2) {
 				wpa_printf(MSG_DEBUG, "P2P: No room for full "
 					   "DNS offset field");
 				return -1;
@@ -74,14 +74,14 @@ static int p2p_sd_dns_uncompress_label(char **upos, char *uend, u8 *start,
 			return 0;
 
 		(*spos)++;
-		if (*spos + len > end) {
+		if (len > end - *spos) {
 			wpa_printf(MSG_DEBUG, "P2P: Invalid domain name "
 				   "sequence - no room for label with length "
 				   "%u", len);
 			return -1;
 		}
 
-		if (*upos + len + 2 > uend)
+		if (len + 2 > uend - *upos)
 			return -2;
 
 		os_memcpy(*upos, *spos, len);
@@ -722,11 +722,11 @@ void wpas_sd_request(void *ctx, int freq, const u8 *sa, u8 dialog_token,
 	if (resp == NULL)
 		return;
 
-	while (pos + 1 < end) {
+	while (end - pos > 1) {
 		wpa_printf(MSG_DEBUG, "P2P: Service Request TLV");
 		slen = WPA_GET_LE16(pos);
 		pos += 2;
-		if (pos + slen > end || slen < 2) {
+		if (slen > end - pos || slen < 2) {
 			wpa_printf(MSG_DEBUG, "P2P: Unexpected Query Data "
 				   "length");
 			wpabuf_free(resp);
@@ -827,10 +827,10 @@ static void wpas_sd_p2ps_serv_response(struct wpa_supplicant *wpa_s,
 		u8 svc_len;
 
 		/* Sanity check fixed length+svc_str */
-		if (pos + 6 >= tlv_end)
+		if (6 >= tlv_end - pos)
 			break;
 		svc_len = pos[6];
-		if (pos + svc_len + 10 > tlv_end)
+		if (svc_len + 10 > tlv_end - pos)
 			break;
 
 		/* Advertisement ID */
@@ -917,13 +917,13 @@ void wpas_sd_response(void *ctx, const u8 *sa, u16 update_indic,
 		}
 	}
 
-	while (pos < end) {
+	while (end - pos >= 2) {
 		u8 srv_proto, srv_trans_id, status;
 
 		wpa_printf(MSG_DEBUG, "P2P: Service Response TLV");
 		slen = WPA_GET_LE16(pos);
 		pos += 2;
-		if (pos + slen > end || slen < 3) {
+		if (slen > end - pos || slen < 3) {
 			wpa_printf(MSG_DEBUG, "P2P: Unexpected Response Data "
 				   "length");
 			return;