P2P: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
625745c297
commit
d6ee858c3b
5 changed files with 64 additions and 65 deletions
|
|
@ -636,11 +636,11 @@ static void p2p_update_peer_vendor_elems(struct p2p_device *dev, const u8 *ies,
|
|||
|
||||
end = ies + ies_len;
|
||||
|
||||
for (pos = ies; pos + 1 < end; pos += len) {
|
||||
for (pos = ies; end - pos > 1; pos += len) {
|
||||
id = *pos++;
|
||||
len = *pos++;
|
||||
|
||||
if (pos + len > end)
|
||||
if (len > end - pos)
|
||||
break;
|
||||
|
||||
if (id != WLAN_EID_VENDOR_SPECIFIC || len < 3)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue