GAS: Clean up Query Response length validation

Previous version was correct, but apparently too complex for some static
analyzers. (CID 68119)

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c
index 3a89674..10ecce7 100644 (file)
--- a/wpa_supplicant/gas_query.c
+++ b/wpa_supplicant/gas_query.c
@@ -442,6 +442,7 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
        u16 comeback_delay, resp_len;
        const u8 *pos, *adv_proto;
        int prot, pmf;
+       unsigned int left;
 
        if (gas == NULL || len < 4)
                return -1;
@@ -543,17 +544,17 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
        resp_len = WPA_GET_LE16(pos);
        pos += 2;
 
-       if (pos + resp_len > data + len) {
+       left = data + len - pos;
+       if (resp_len > left) {
                wpa_printf(MSG_DEBUG, "GAS: Truncated Query Response in "
                           "response from " MACSTR, MAC2STR(sa));
                return 0;
        }
 
-       if (pos + resp_len < data + len) {
+       if (resp_len < left) {
                wpa_printf(MSG_DEBUG, "GAS: Ignore %u octets of extra data "
                           "after Query Response from " MACSTR,
-                          (unsigned int) (data + len - pos - resp_len),
-                          MAC2STR(sa));
+                          left - resp_len, MAC2STR(sa));
        }
 
        if (action == WLAN_PA_GAS_COMEBACK_RESP)