X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=wpa_supplicant%2Fp2p_supplicant_sd.c;h=f8675e68bec489db45b3b3fd237defd3c0b20ca0;hb=b84ce655d31a2236734c788fd3292c10d5d9f0b1;hp=fc07b07462f5ab05cebecfa5eb066b5dd5a11b40;hpb=e2b7fbf2fb3491ce828da7079244196ce03c3fd4;p=mech_eap.git

diff --git a/wpa_supplicant/p2p_supplicant_sd.c b/wpa_supplicant/p2p_supplicant_sd.c
index fc07b07..f8675e6 100644
--- a/wpa_supplicant/p2p_supplicant_sd.c
+++ b/wpa_supplicant/p2p_supplicant_sd.c
@@ -48,7 +48,7 @@ static int p2p_sd_dns_uncompress_label(char **upos, char *uend, u8 *start,
 			u8 *spos_tmp;
 
 			/* Offset */
-			if (*spos + 2 > end) {
+			if (end - *spos < 2) {
 				wpa_printf(MSG_DEBUG, "P2P: No room for full "
 					   "DNS offset field");
 				return -1;
@@ -74,14 +74,14 @@ static int p2p_sd_dns_uncompress_label(char **upos, char *uend, u8 *start,
 			return 0;
 
 		(*spos)++;
-		if (*spos + len > end) {
+		if (len > end - *spos) {
 			wpa_printf(MSG_DEBUG, "P2P: Invalid domain name "
 				   "sequence - no room for label with length "
 				   "%u", len);
 			return -1;
 		}
 
-		if (*upos + len + 2 > uend)
+		if (len + 2 > uend - *upos)
 			return -2;
 
 		os_memcpy(*upos, *spos, len);
@@ -722,11 +722,11 @@ void wpas_sd_request(void *ctx, int freq, const u8 *sa, u8 dialog_token,
 	if (resp == NULL)
 		return;
 
-	while (pos + 1 < end) {
+	while (end - pos > 1) {
 		wpa_printf(MSG_DEBUG, "P2P: Service Request TLV");
 		slen = WPA_GET_LE16(pos);
 		pos += 2;
-		if (pos + slen > end || slen < 2) {
+		if (slen > end - pos || slen < 2) {
 			wpa_printf(MSG_DEBUG, "P2P: Unexpected Query Data "
 				   "length");
 			wpabuf_free(resp);
@@ -827,10 +827,10 @@ static void wpas_sd_p2ps_serv_response(struct wpa_supplicant *wpa_s,
 		u8 svc_len;
 
 		/* Sanity check fixed length+svc_str */
-		if (pos + 6 >= tlv_end)
+		if (6 >= tlv_end - pos)
 			break;
 		svc_len = pos[6];
-		if (pos + svc_len + 10 > tlv_end)
+		if (svc_len + 10 > tlv_end - pos)
 			break;
 
 		/* Advertisement ID */
@@ -917,13 +917,13 @@ void wpas_sd_response(void *ctx, const u8 *sa, u16 update_indic,
 		}
 	}
 
-	while (pos < end) {
+	while (end - pos >= 2) {
 		u8 srv_proto, srv_trans_id, status;
 
 		wpa_printf(MSG_DEBUG, "P2P: Service Response TLV");
 		slen = WPA_GET_LE16(pos);
 		pos += 2;
-		if (pos + slen > end || slen < 3) {
+		if (slen > end - pos || slen < 3) {
 			wpa_printf(MSG_DEBUG, "P2P: Unexpected Response Data "
 				   "length");
 			return;