NFC: Add a hardcoded limit on maximum NDEF payload length

While this is already enforced in practice due to the limits on the
maximum control interface command length and total_length bounds
checking here, this explicit check on payload_length value may help
static analyzers understand the code better. (CID 122668)

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index 50d018f94d0b03f7c6151640c6e1c5350ddbd080..cc8f6e5cbf65a9383c78bab06210eeaaaeb26ad9 100644 (file)
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -48,7 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
                if (size < 6)
                        return -1;
                record->payload_length = WPA_GET_BE32(pos);
-               if (record->payload_length > size - 6)
+               if (record->payload_length > size - 6 ||
+                   record->payload_length > 20000)
                        return -1;
                pos += sizeof(u32);
        }