NFC: Add a hardcoded limit on maximum NDEF payload length

While this is already enforced in practice due to the limits on the
maximum control interface command length and total_length bounds
checking here, this explicit check on payload_length value may help
static analyzers understand the code better. (CID 122668)

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-07-08 17:00:28 +03:00
parent aa517ae227
commit 2456264fad

View file

@ -48,7 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
if (size < 6) if (size < 6)
return -1; return -1;
record->payload_length = WPA_GET_BE32(pos); record->payload_length = WPA_GET_BE32(pos);
if (record->payload_length > size - 6) if (record->payload_length > size - 6 ||
record->payload_length > 20000)
return -1; return -1;
pos += sizeof(u32); pos += sizeof(u32);
} }