aboutsummaryrefslogtreecommitdiffstats
path: root/src/wps
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-07-08 14:00:28 (GMT)
committerJouni Malinen <j@w1.fi>2015-07-08 14:03:34 (GMT)
commit2456264fad1ecd400776afde0cf09d18448dbb4b (patch)
treeade5cf184aad916cc747919cb7428f862ed70e4f /src/wps
parentaa517ae22784aff08d3d9e38ad101b4b5c9828fb (diff)
downloadhostap-2456264fad1ecd400776afde0cf09d18448dbb4b.zip
hostap-2456264fad1ecd400776afde0cf09d18448dbb4b.tar.gz
hostap-2456264fad1ecd400776afde0cf09d18448dbb4b.tar.bz2
NFC: Add a hardcoded limit on maximum NDEF payload length
While this is already enforced in practice due to the limits on the maximum control interface command length and total_length bounds checking here, this explicit check on payload_length value may help static analyzers understand the code better. (CID 122668) Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/wps')
-rw-r--r--src/wps/ndef.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index 50d018f..cc8f6e5 100644
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -48,7 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
if (size < 6)
return -1;
record->payload_length = WPA_GET_BE32(pos);
- if (record->payload_length > size - 6)
+ if (record->payload_length > size - 6 ||
+ record->payload_length > 20000)
return -1;
pos += sizeof(u32);
}