privsep: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
45a283e6d0
commit
ceb19ff7a6
1 changed files with 2 additions and 2 deletions
|
|
@ -161,11 +161,11 @@ wpa_driver_privsep_get_scan_results2(void *priv)
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
while (results->num < (size_t) num && pos + sizeof(int) < end) {
|
while (results->num < (size_t) num && end - pos > sizeof(int)) {
|
||||||
int len;
|
int len;
|
||||||
os_memcpy(&len, pos, sizeof(int));
|
os_memcpy(&len, pos, sizeof(int));
|
||||||
pos += sizeof(int);
|
pos += sizeof(int);
|
||||||
if (len < 0 || len > 10000 || pos + len > end)
|
if (len < 0 || len > 10000 || len > end - pos)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
r = os_malloc(len);
|
r = os_malloc(len);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue