From: Jouni Malinen <j@w1.fi>
Date: Wed, 8 Jul 2015 14:00:28 +0000 (+0300)
Subject: NFC: Add a hardcoded limit on maximum NDEF payload length
X-Git-Tag: hostap_2_5~437
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2456264fad1ecd400776afde0cf09d18448dbb4b;p=thirdparty%2Fhostap.git

NFC: Add a hardcoded limit on maximum NDEF payload length

While this is already enforced in practice due to the limits on the
maximum control interface command length and total_length bounds
checking here, this explicit check on payload_length value may help
static analyzers understand the code better. (CID 122668)

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index 50d018f94..cc8f6e5cb 100644
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -48,7 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
 		if (size < 6)
 			return -1;
 		record->payload_length = WPA_GET_BE32(pos);
-		if (record->payload_length > size - 6)
+		if (record->payload_length > size - 6 ||
+		    record->payload_length > 20000)
 			return -1;
 		pos += sizeof(u32);
 	}