NFC: Add a hardcoded limit on maximum NDEF payload length
While this is already enforced in practice due to the limits on the maximum control interface command length and total_length bounds checking here, this explicit check on payload_length value may help static analyzers understand the code better. (CID 122668) Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
aa517ae227
commit
2456264fad
1 changed files with 2 additions and 1 deletions
|
|
@ -48,7 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
|
||||||
if (size < 6)
|
if (size < 6)
|
||||||
return -1;
|
return -1;
|
||||||
record->payload_length = WPA_GET_BE32(pos);
|
record->payload_length = WPA_GET_BE32(pos);
|
||||||
if (record->payload_length > size - 6)
|
if (record->payload_length > size - 6 ||
|
||||||
|
record->payload_length > 20000)
|
||||||
return -1;
|
return -1;
|
||||||
pos += sizeof(u32);
|
pos += sizeof(u32);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue