From af185d0b578fc447b1db0b42a03d8b2467decffd Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 28 Apr 2015 17:20:09 +0300
Subject: [PATCH] WPS: Extra validation step for HTTP reader

Verify that ncopy parameter to memcpy is not negative. While this is not
supposed to be needed, it is a good additional protection against
unknown implementation issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/wps/httpread.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index d2855e32f..3570a1fda 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -608,6 +608,11 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
 				ncopy = nread;
 			}
 			/* Note: should never be 0 */
+			if (ncopy < 0) {
+				wpa_printf(MSG_DEBUG,
+					   "httpread: Invalid ncopy=%d", ncopy);
+				goto bad;
+			}
 			if (ncopy > nread)
 				ncopy = nread;
 			os_memcpy(bbp, rbp, ncopy);