AP: Avoid undefined behavior in pointer arithmetic in IE parsing

Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index e5b52fa..5f65b7d 100644 (file)
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -553,8 +553,8 @@ static enum ssid_match_result ssid_match(struct hostapd_data *hapd,
 
        pos = ssid_list;
        end = ssid_list + ssid_list_len;
-       while (pos + 1 <= end) {
-               if (pos + 2 + pos[1] > end)
+       while (end - pos >= 1) {
+               if (2 + pos[1] > end - pos)
                        break;
                if (pos[1] == 0)
                        wildcard = 1;