Merge "wpa_supplicant_lib: Fix integer overflow in result_copy_to_buf" into wlan-aosp.lnx.13.0
diff --git a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
index 00cdae7..8fb06cb 100644
--- a/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
+++ b/qcwcn/wpa_supplicant_8_lib/driver_cmd_nl80211.c
@@ -3899,16 +3899,19 @@
 
 char *result_copy_to_buf(char *src, char *dst_buf, int *dst_len)
 {
-	int str_len, remaining = 0;
+	size_t str_len, remaining = 0;
+
+	if (!dst_buf || *dst_len < 0)
+		return NULL;
 
 	remaining = *dst_len;
 	str_len = strlen(src);
-	remaining = remaining - (str_len + 1);
 
-	if (remaining <= 0) {
-		wpa_printf(MSG_ERROR, "destination buffer length not enough");
+	if (remaining > 0 && (remaining - 1) > str_len)
+		remaining = remaining - (str_len + 1);
+	else
 		return NULL;
-	}
+
 	os_memcpy(dst_buf, src, str_len);
 
 	*dst_len = remaining;