WPS: Check NDEF record length fields separately

Try to make the bounds checking easier for static analyzers by checking
each length field separately in addition to checking them all in the end
against the total buffer length.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index bb3c055486c027ca994054440aa13c4a8df63f53..63f0d527d5874e3e5636d7c4d7108d4dba158b10 100644 (file)
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -63,12 +63,18 @@ static int ndef_parse_record(const u8 *data, u32 size,
        } else
                record->id_length = 0;
 
+       if (record->type_length > data + size - pos)
+               return -1;
        record->type = record->type_length == 0 ? NULL : pos;
        pos += record->type_length;
 
+       if (record->id_length > data + size - pos)
+               return -1;
        record->id = record->id_length == 0 ? NULL : pos;
        pos += record->id_length;
 
+       if (record->payload_length > (size_t) (data + size - pos))
+               return -1;
        record->payload = record->payload_length == 0 ? NULL : pos;
        pos += record->payload_length;