erp: Fix off by one error

The intent of this check is to make sure that at least 2 bytes are available for reading. However, the unintended consequence is that tags with a zero length at the end of input would be rejected. While here, rework the check to be more resistant to potential overflow conditions.
2024-11-25 17:59:25 +01:00 · 2022-01-14 10:22:41 -06:00 · 2022-01-14 10:22:41 -06:00 · eddcc4c5b6
commit eddcc4c5b6
parent 938e056896
1 changed files with 1 additions and 1 deletions
--- a/src/erp.c
+++ b/src/erp.c
@ -117,7 +117,7 @@ static bool erp_tlv_iter_next(struct erp_tlv_iter *iter)
 	unsigned int tag;
 	unsigned int len;

-	if (iter->pos + 2 >= iter->max)
+	if (end - tlv < 2)
 		return false;

 	tag = *tlv++;