diff options
author | Jouni Malinen <j@w1.fi> | 2015-07-08 17:00:28 +0300 |
---|---|---|
committer | Jouni Malinen <j@w1.fi> | 2015-07-08 17:03:34 +0300 |
commit | 2456264fad1ecd400776afde0cf09d18448dbb4b (patch) | |
tree | ade5cf184aad916cc747919cb7428f862ed70e4f /src/wps | |
parent | aa517ae22784aff08d3d9e38ad101b4b5c9828fb (diff) | |
download | hostap-2456264fad1ecd400776afde0cf09d18448dbb4b.tar.gz |
NFC: Add a hardcoded limit on maximum NDEF payload length
While this is already enforced in practice due to the limits on the
maximum control interface command length and total_length bounds
checking here, this explicit check on payload_length value may help
static analyzers understand the code better. (CID 122668)
Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/wps')
-rw-r--r-- | src/wps/ndef.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/wps/ndef.c b/src/wps/ndef.c index 50d018f94..cc8f6e5cb 100644 --- a/src/wps/ndef.c +++ b/src/wps/ndef.c @@ -48,7 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, if (size < 6) return -1; record->payload_length = WPA_GET_BE32(pos); - if (record->payload_length > size - 6) + if (record->payload_length > size - 6 || + record->payload_length > 20000) return -1; pos += sizeof(u32); } |