From 30403e96574b2fde643df446b8a52bc8eec5fd5d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 20 Nov 2022 12:08:47 +0200
Subject: [PATCH] WPS: Check NDEF record length fields separately

Try to make the bounds checking easier for static analyzers by checking
each length field separately in addition to checking them all in the end
against the total buffer length.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/wps/ndef.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index bb3c05548..63f0d527d 100644
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -63,12 +63,18 @@ static int ndef_parse_record(const u8 *data, u32 size,
 	} else
 		record->id_length = 0;
 
+	if (record->type_length > data + size - pos)
+		return -1;
 	record->type = record->type_length == 0 ? NULL : pos;
 	pos += record->type_length;
 
+	if (record->id_length > data + size - pos)
+		return -1;
 	record->id = record->id_length == 0 ? NULL : pos;
 	pos += record->id_length;
 
+	if (record->payload_length > (size_t) (data + size - pos))
+		return -1;
 	record->payload = record->payload_length == 0 ? NULL : pos;
 	pos += record->payload_length;