From ab3ab50757534114b1d005e19dd9d4b30cd5fab7 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 30 Oct 2018 19:15:11 +0200
Subject: [PATCH] HS 2.0: Fix Terms and Conditions URL handling

Do not try to determine the length of the T&C Server URL before checking
that the URL is available. This got broken in a change to move the
handling to the AS. hostapd could potentially have hit a NULL pointer
dereference if the authentication server sent an unconsistent set of T&C
information.

Fixes: d4e39c51f8bb ("HS 2.0: Move Terms and Conditions Server URL generation from AP to AS")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 src/ap/hs20.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/ap/hs20.c b/src/ap/hs20.c
index 98d016d96..e265569ae 100644
--- a/src/ap/hs20.c
+++ b/src/ap/hs20.c
@@ -184,13 +184,14 @@ int hs20_send_wnm_notification_t_c(struct hostapd_data *hapd,
 {
 	struct wpabuf *buf;
 	int ret;
-	size_t url_len = os_strlen(url);
+	size_t url_len;
 
 	if (!url) {
 		wpa_printf(MSG_INFO, "HS 2.0: No T&C Server URL available");
 		return -1;
 	}
 
+	url_len = os_strlen(url);
 	if (5 + url_len > 255) {
 		wpa_printf(MSG_INFO,
 			   "HS 2.0: Too long T&C Server URL for WNM-Notification: '%s'",