|
|
@@ -508,20 +508,25 @@ static struct nai_realm * nai_realm_parse(struct wpabuf *anqp, u16 *count)
|
|
|
struct nai_realm *realm;
|
|
|
const u8 *pos, *end;
|
|
|
u16 i, num;
|
|
|
+ size_t left;
|
|
|
|
|
|
- if (anqp == NULL || wpabuf_len(anqp) < 2)
|
|
|
+ if (anqp == NULL)
|
|
|
+ return NULL;
|
|
|
+ left = wpabuf_len(anqp);
|
|
|
+ if (left < 2)
|
|
|
return NULL;
|
|
|
|
|
|
pos = wpabuf_head_u8(anqp);
|
|
|
- end = pos + wpabuf_len(anqp);
|
|
|
+ end = pos + left;
|
|
|
num = WPA_GET_LE16(pos);
|
|
|
wpa_printf(MSG_DEBUG, "NAI Realm Count: %u", num);
|
|
|
pos += 2;
|
|
|
+ left -= 2;
|
|
|
|
|
|
- if (num * 5 > end - pos) {
|
|
|
+ if (num > left / 5) {
|
|
|
wpa_printf(MSG_DEBUG, "Invalid NAI Realm Count %u - not "
|
|
|
"enough data (%u octets) for that many realms",
|
|
|
- num, (unsigned int) (end - pos));
|
|
|
+ num, (unsigned int) left);
|
|
|
return NULL;
|
|
|
}
|
|
|
|
Jouni Malinen