This patch correctly checks, if enough data bytes for parsing IEs are present (-2 in check for type and length). Furthermore, it adds a nullptr and length check to ease future fuzzing. Signed-off-by: Markus Theil <markus.theil@xxxxxxxxxxxxx> --- scan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scan.c b/scan.c index a6cb3bb..14138ca 100644 --- a/scan.c +++ b/scan.c @@ -2181,7 +2181,10 @@ void print_ies(unsigned char *ie, int ielen, bool unknown, .ie = ie, .ielen = ielen }; - while (ielen >= 2 && ielen >= ie[1]) { + if (ie == NULL || ielen < 0) + return; + + while (ielen >= 2 && ielen - 2 >= ie[1]) { if (ie[0] < ARRAY_SIZE(ieprinters) && ieprinters[ie[0]].name && ieprinters[ie[0]].flags & BIT(ptype)) { -- 2.25.0