NFC: Add a hardcoded limit on maximum NDEF payload length
While this is already enforced in practice due to the limits on the maximum control interface command length and total_length bounds checking here, this explicit check on payload_length value may help static analyzers understand the code better. (CID 122668) Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
aa517ae227
commit
2456264fad
1 changed files with 2 additions and 1 deletions
|
@ -48,7 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
|
|||
if (size < 6)
|
||||
return -1;
|
||||
record->payload_length = WPA_GET_BE32(pos);
|
||||
if (record->payload_length > size - 6)
|
||||
if (record->payload_length > size - 6 ||
|
||||
record->payload_length > 20000)
|
||||
return -1;
|
||||
pos += sizeof(u32);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue