From 119a1e7de3e97996efad2013a9251767e3c470a4 Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Tue, 15 Jul 2014 19:07:05 -0500
Subject: [PATCH] ie: Add additional boundary checking

==20758== Invalid read of size 1
==20758==    at 0x401254: ie_tlv_iter_next (ie.c:55)
==20758==    by 0x40104B: ie_test (test-ie.c:57)
==20758==    by 0x4021C0: l_test_run (test.c:83)
==20758==    by 0x4011B7: main (test-ie.c:123)
==20758==  Address 0x51e10f3 is 0 bytes after a block of size 19 alloc'd
==20758==    at 0x4C2C874: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20758==    by 0x4010CF: append_data (test-ie.c:101)
==20758==    by 0x40118F: main (test-ie.c:119)
==20758==
==20758== Invalid read of size 1
==20758==    at 0x401266: ie_tlv_iter_next (ie.c:56)
==20758==    by 0x40104B: ie_test (test-ie.c:57)
==20758==    by 0x4021C0: l_test_run (test.c:83)
==20758==    by 0x4011B7: main (test-ie.c:123)
==20758==  Address 0x51e10f4 is 1 bytes after a block of size 19 alloc'd
==20758==    at 0x4C2C874: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20758==    by 0x4010CF: append_data (test-ie.c:101)
==20758==    by 0x40118F: main (test-ie.c:119)
---
 src/ie.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/ie.c b/src/ie.c
index 35057cf7..8ee0c77b 100644
--- a/src/ie.c
+++ b/src/ie.c
@@ -49,6 +49,9 @@ bool ie_tlv_iter_next(struct ie_tlv_iter *iter)
 	unsigned int tag;
 	unsigned int len;
 
+	if (iter->pos >= iter->max)
+		return false;
+
 	tag = *tlv++;
 	len = *tlv++;