From: Jouni Malinen <j@w1.fi>
Date: Sun, 20 Nov 2022 10:08:47 +0000 (+0200)
Subject: WPS: Check NDEF record length fields separately
X-Git-Tag: hostap_2_11~1519
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30403e96574b2fde643df446b8a52bc8eec5fd5d;p=thirdparty%2Fhostap.git

WPS: Check NDEF record length fields separately

Try to make the bounds checking easier for static analyzers by checking
each length field separately in addition to checking them all in the end
against the total buffer length.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index bb3c05548..63f0d527d 100644
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -63,12 +63,18 @@ static int ndef_parse_record(const u8 *data, u32 size,
 	} else
 		record->id_length = 0;
 
+	if (record->type_length > data + size - pos)
+		return -1;
 	record->type = record->type_length == 0 ? NULL : pos;
 	pos += record->type_length;
 
+	if (record->id_length > data + size - pos)
+		return -1;
 	record->id = record->id_length == 0 ? NULL : pos;
 	pos += record->id_length;
 
+	if (record->payload_length > (size_t) (data + size - pos))
+		return -1;
 	record->payload = record->payload_length == 0 ? NULL : pos;
 	pos += record->payload_length;