HS 2.0: Clarify OSU Server URI length validation

The previous version was valid, but apparently too complex for some
static analyzers. Use a local variable for uri_len and explicitly
compare it against the remaining buffer length. (CID 68121)

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/hs20_supplicant.c b/wpa_supplicant/hs20_supplicant.c
index a36e7cf..315fa28 100644 (file)
--- a/wpa_supplicant/hs20_supplicant.c
+++ b/wpa_supplicant/hs20_supplicant.c
@@ -562,6 +562,7 @@ static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
        const u8 *end = pos + len;
        u16 len2;
        const u8 *pos2;
+       u8 uri_len;
 
        wpa_hexdump(MSG_DEBUG, "HS 2.0: Parsing OSU Provider", pos, len);
        prov = os_realloc_array(wpa_s->osu_prov,
@@ -607,13 +608,19 @@ static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
        }
 
        /* OSU Server URI */
-       if (pos + 1 > end || pos + 1 + pos[0] > end) {
+       if (pos + 1 > end) {
+               wpa_printf(MSG_DEBUG,
+                          "HS 2.0: Not enough room for OSU Server URI length");
+               return;
+       }
+       uri_len = *pos++;
+       if (uri_len > end - pos) {
                wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU Server "
                           "URI");
                return;
        }
-       os_memcpy(prov->server_uri, pos + 1, pos[0]);
-       pos += 1 + pos[0];
+       os_memcpy(prov->server_uri, pos, uri_len);
+       pos += uri_len;
 
        /* OSU Method list */
        if (pos + 1 > end || pos + 1 + pos[0] > end) {